Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token, the domain can be configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Active Directory Federation Services, or AD FS. To use AD FS, a server must be configured which is accessible from the workstations on which users will be logging-in, and which has access to the directory service within the corporate network. This document aims to describe the process necessary to configure the Adobe Admin Console and a Microsoft AD FS server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

The IdP does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.

Prerequisites

Before configuring a domain for single sign-on using Microsoft AD FS, the following requirements must be met:

  • An approved directory on your Adobe Admin Console set for Federated ID either awaiting configuration, or previously configured for another IdP
  • The relevant domain has been claimed within your federated directory
  • A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates.
  • The server must be accessible from users' workstations (for example, via HTTPS)
  • Security certificate obtained from the AD FS server
  • All Active Directory accounts to be associated with a Creative Cloud for Enterprise account must have an email address listed within Active Directory.

The process of setting up a directory and claiming a domain within it on your Admin Console are both described on the page Set up identity. Once added, a directory can be configured for single sign-on before a domain is claimed, but in order to create Federated ID users, you must claim the domain name in which they exist.

The name of the directory is arbitrary, but the domain linked to your directory must fully match the part of the e-mail address after the '@' symbol. If you wish to also use subdomains, they must be claimed separately.

Note:

Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.

Download the Token-Signing Certificate

  1. Open the AD FS Management application on your server, and within the folder AD FS -> Service -> Certificates, select the Token Signing certificate. To open the certificate properties window, Click View Certificate.

    token_signing_certificate
  2. From the Details tab click Copy to File and use the wizard to save the certificate as Base-64 encoded X. 509 (.CER). This format is equivalent to a PEM format certificate.

    02_-_certificateexportwizard

Configure your Directory on the Adobe Admin Console

To configure single sign-on for your directory, enter the required information in your Adobe Admin Console and download the metadata for configuring your Microsoft AD FS server.

  1. Sign in to your Admin Console and navigate to Settings > Identity.

  2. Go to the Directories tab.

  3. Click Configure next to the directory that you want to configure.

    03_-_configure_directory
  4. Upload the certificate that you saved from your Microsoft AD FS server.

  5. Select HTTP - Redirect as the IdP binding.

  6. Select Email as the User login setting.

  7. On your AD FS server in the AD FS Management application, select the entry at the top of the tree, AD FS, and click Edit Federation Service Properties. On the General tab of the pop-up window, copy the Federation Service Identifier.

    For example: http://adfs.example.com/adfs/services/trust

    05_2_-_federationserviceproperties
  8. Paste the Federation Service Identifier which you have just copied into your Adobe Admin Console in the IdP Issuer field.

    Note:

    The IdP Issuer field is used to identify the server, and is not a URL which is accessed by users when connecting to the server. For security reasons, your AD FS server should only be accessible via HTTPS, not via insecure HTTP.

  9. Obtain the hostname of your IdP server (this is often the same as the Federation Service name), prepend the protocol https:// and append the path /adfs/ls to construct the IdP login URL.

    For example: https://adfs.example/com/adfs/ls/

  10. Enter the IdP login URL on your Adobe Admin Console.

  11. Click Save.

    admin_console_-_adfs-configuredirectory
  12. To save the SAML XML Metadata file on your computer, click Download Metadata. This file will be used to configure a relying party trust on your AD FS server in the remainder of this document.

  13. Tick the box to show that you understand the need to complete the configuration with your identity provider. This will be done in the next steps on your AD FS server.

    configure_directoryanddownloadmetadata
  14. Copy the XML metadata file to your AD FS server in order to be able to import it into the AD FS Management application.

  15. Click Complete to finish configuration of your directory.

Add one or more domains to your directory

  1. On your Adobe Admin Console, navigate to Settings > Identity.

  2. In the Domains tab, click Add Domains.

  3. In the Enter Domains screen, enter a list of up to 15 domains, and click Add Domains.

  4. In the Add Domains screen, verify that the list of domains and click Add Domains.

  5. Your domains are now added to the Admin Console. However, you still have to demonstrate ownership of these domains.

  6. On the Domains page, click validate domain against any domain which requires validation.

  7. Copy the DNS token displayed by clicking copy record value, and on your DNS configuration, create a TXT record containing this token to the settings for each domain which you have added in order to validate them.

    This token will be the same for all domains added within your Adobe Admin Console, so it can be reused for other domains added at a later stage.

    The token does not need to remain in place once a domain has been validated.

    validate_domain_ownership
  8. You can check if a TXT record has propagated to other DNS servers online using a website such as MXToolbox, or from the command line using the command nslookup on a Windows, Linux or Mac OS system as follows:

    $ nslookup
    > set TYPE=TXT
    > example.com
    [..]
    example.com     text = "adobe-idp-site-verification=36092476-3439-42b7-a3d0-8ba9c9c38a6d"

  9. In the Validate Domain Ownership screen, click Validate Now.

    If the DNS token is correctly detected as a TXT record against the domain, it will be validated and you can begin using it straightaway. Domains which do not validate initially are checked in the background periodically, and will become validated once the DNS token is correctly validated.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Caution:

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.

  2. Click Start and select Import data from a relying party from a file, then browse to the location to which you copied the metadata from your Adobe Admin Console.

    08_-_import_metadata
  3. Name your relying party trust and enter any additional notes as required.

    Click Next.

    09_-_name_relyingpartytrust
  4. Determine if multi-factor authentication is required and select the relevant option.

    Click Next.

  5. Determine if all users will have the ability to log-on via AD FS or be denied access.

    Click Next.

  6. Review your settings.

    Click Next.

  7. Your relying party trust has been added.

    Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.

    Click Close.

  8. If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.

  9. Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    10_-_add_transformationclaimrule
    11_-_map_ldap_attributestooutgoingclaimtype

    Note:

    As shown in the above screenshot, we suggest using e-mail address as the primary identifier. The use of the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the e-mail address is not reccomended. Whilst it is possible to use UPN as the LDAP attribute, this is not an officially supported configuration, and you do so at your own risk.

    Often the UPN does not map to an e-mail address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.

  10. Click Finish to complete adding the transform claim rule.

  11. Again, using the Edit Claim Rules wizard, add a rule using the template Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

    12_-_transform_anincomingclaim
    13_-_transform_incomingclaim
  12. Click Finish to complete adding the transform claim rule.

  13. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

    14_-_add_custom_rule
    15_-_custom_claimrule
  14. Click Finish to complete the custom rule wizard.

  15. Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.

    16_-_edit_claim_rules

    Note:

    The order of the claim rules is important; they should appear as shown here.

  16. Ensure your new Relying Party Trust is selected, and click Properties on the right-hand-side of the window. Select the Advanced tab, and ensure that the a Secure hash algorithm is set to SHA-1.

    17_-_relying_partytrustproperties

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.

If you encounter problems, please see our troubleshooting document.

To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.

If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy