User Guide Cancel

Configure Microsoft AD FS for use with Adobe SSO

  1. Adobe Enterprise & Teams: Administration guide
  2. Plan your deployment
    1. Basic concepts
      1. Licensing
      2. Identity
      3. User management
      4. App deployment
      5. Admin Console overview
      6. Admin roles
    2. Deployment Guides
      1. Named User deployment guide
      2. SDL deployment guide
      3. Deploy Adobe Acrobat 
    3. Deploy Creative Cloud for education
      1. Deployment guide
      2. Enable Adobe Express in Google Classroom
      3. Integration with Canvas LMS
      4. Integration with Blackboard Learn
      5. Configuring SSO for District Portals and LMSs
      6. Add users through Roster Sync
      7. Kivuto FAQ
      8. Primary and Secondary institution eligibility guidelines
  3. Set up your organization
    1. Identity types | Overview
    2. Set up identity | Overview
    3. Set up organization with Enterprise ID
    4. Setup Azure AD federation and sync
      1. Set up SSO with Microsoft via Azure OIDC
      2. Add Azure Sync to your directory
      3. Azure Connector FAQ
    5. Set up Google Federation and sync
      1. Set up SSO with Google Federation
      2. Add Google Sync to your directory
      3. Google federation FAQ
    6. Set up organization with Microsoft ADFS
    7. Set up organization for District Portals and LMS
    8. Set up organization with other Identity providers
      1. Create a directory
      2. Verify ownership of a domain
      3. Add domains to directories
    9. SSO common questions and troubleshooting
      1. SSO Common questions
      2. SSO Troubleshooting
      3. Education common questions
  4. Manage your organization setup
    1. Manage existing domains and directories
    2. Set up organization via directory trust
    3. Migrate to a new authentication provider 
    4. Asset settings
    5. Authentication settings
    6. Privacy and security contacts
    7. Console settings
    8. Manage encryption  
  5. Manage products and entitlements
    1. Manage users
      1. Overview
      2. Administrative roles
      3. User management techniques
        1. Manage users individually   
        2. Manage multiple users (Bulk CSV)
        3. User Sync tool (UST)
        4. Microsoft Azure Sync
        5. Google Federation Sync
      4. Change user's identity type
      5. Manage user groups
      6. Manage directory users
      7. Manage developers
      8. Migrate existing users to the Adobe Admin Console
      9. Migrate user management to the Adobe Admin Console
    2. Manage products and product profiles
      1. Manage products
      2. Manage product profiles for enterprise users
      3. Manage self-service policies
      4. Manage app integrations
      5. Manage product permissions in the Admin Console  
      6. Enable/disable services for a product profile
      7. Single App | Creative Cloud for enterprise
      8. Optional services
    3. Manage Shared Device licenses
      1. What's new
      2. Deployment guide
      3. Create packages
      4. Recover licenses
      5. Migrate from Device Licensing
      6. Manage profiles
      7. Licensing toolkit
      8. Shared Device Licensing FAQ
  6. Manage storage and assets
    1. Storage
      1. Manage enterprise storage
      2. Adobe Creative Cloud: Update to storage
      3. Manage Adobe storage
    2. Asset migration
      1. Automated Asset Migration
      2. Automated Asset Migration FAQ  
      3. Manage transferred assets
    3. Reclaim assets from a user
    4. Student asset migration | EDU only
      1. Automatic student asset migration
      2. Migrate your assets
  7. Manage services
    1. Adobe Stock
      1. Adobe Stock credit packs for teams
      2. Adobe Stock for enterprise
      3. Use Adobe Stock for enterprise
      4. Adobe Stock License Approval
    2. Custom fonts
    3. Adobe Asset Link
      1. Overview
      2. Create user group
      3. Configure Adobe Experience Manager Assets
      4. Configure and install Adobe Asset Link
      5. Manage assets
      6. Adobe Asset Link for XD
    4. Adobe Acrobat Sign
      1. Set up Adobe Acrobat Sign for enterprise or teams
      2. Adobe Acrobat Sign - Team feature Administrator
      3. Manage Adobe Acrobat Sign on the Admin Console
    5. Creative Cloud for enterprise - free membership
      1. Overview
      2. Getting started
  8. Deploy apps and updates
    1. Overview
      1. Deploy and deliver apps and updates
      2. Plan to deploy
      3. Prepare to deploy
    2. Create packages
      1. Package apps via the Admin Console
      2. Create Named User Licensing Packages
      3. Adobe templates for packages
      4. Manage packages
      5. Manage device licenses
      6. Serial number licensing
    3. Customize packages
      1. Customize the Creative Cloud desktop app
      2. Include extensions in your package
    4. Deploy Packages 
      1. Deploy packages
      2. Deploy Adobe packages using Microsoft Intune
      3. Deploy Adobe packages with SCCM
      4. Deploy Adobe packages with ARD
      5. Install products in the Exceptions folder
      6. Uninstall Creative Cloud products
      7. Use Adobe provisioning toolkit enterprise edition
      8. Adobe Creative Cloud licensing identifiers
    5. Manage updates
      1. Change management for Adobe enterprise and teams customers
      2. Deploy updates
    6. Adobe Update Server Setup Tool (AUSST)
      1. AUSST Overview
      2. Set up the internal update server
      3. Maintain the internal update server
      4. Common use cases of AUSST   
      5. Troubleshoot the internal update server
    7. Adobe Remote Update Manager (RUM)
      1. Use Adobe Remote Update Manager
      2. Channel IDs for use with Adobe Remote Update Manager
      3. Resolve RUM errors
    8. Troubleshoot
      1. Troubleshoot Creative Cloud apps installation and uninstallation errors
      2. Query client machines to check if a package is deployed
      3. Creative Cloud package "Installation Failed" error message
    9. Create packages using Creative Cloud Packager (CC 2018 or earlier apps)
      1. About Creative Cloud Packager
      2. Creative Cloud Packager release notes
      3. Application packaging
      4. Create packages using Creative Cloud Packager
      5. Create named license packages
      6. Create packages with device licenses
      7. Create a license package
      8. Create packages with serial number licenses
      9. Packager automation
      10. Package non-Creative Cloud products
      11. Edit and save configurations
      12. Set locale at system level
  9. Manage your account
    1. Manage your Teams account
      1. Overview
      2. Update payment details
      3. Manage invoices
      4. Change contract owner
      5. Change reseller
    2. Assign licenses to a Teams user
    3. Add products and licenses
    4. Renewals
      1. Teams membership: Renewals
      2. Enterprise in VIP: Renewals and compliance
    5. Automated expiration stages for ETLA contracts
    6. Switching contract types within an existing Adobe Admin Console
    7. Purchase Request compliance
    8. Value Incentive Plan (VIP) in China
    9. VIP Select help
  10. Reports & logs
    1. Audit Log
    2. Assignment reports
    3. Content Logs
  11. Get help
    1. Contact Adobe Customer Care
    2. Support options for teams accounts
    3. Support options for enterprise accounts
    4. Support options for Experience Cloud

Overview

The document highlights the process to configure the Adobe Admin Console with a Microsoft AD FS server.

The Identity Provider does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.

Set up SSO with Microsoft AD FS (Watch: 17 min)
Note:

Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.

Prerequisites

Before creating a directory for single sign-on using Microsoft AD FS, the following requirements must be met:

  • A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates. If you want the users to use Adobe products with macOS, ensure that your server supports TLS version 1.2 and forward secrecy. To learn more about AD FS, see the Microsoft Identity and access document.
  • The server must be accessible from users' workstations (for example, via HTTPS).
  • Security certificate obtained from the AD FS server.
  • All Active Directory accounts, to be associated with a Creative Cloud for enterprise account, must have an email address listed within Active Directory.

Create a directory in the Adobe Admin Console

To configure single sign-on for your domain, you need to do the following: 

  1. Sign in to the Admin Console and start with creating a Federated ID directory, selecting Other SAML Providers as the identity provider. Download the Adobe metadata file from the Add SAML Profile screen.
  2. Configure AD FS specifying the ACS URL and Entity ID, and download the IdP metadata file.
  3. Return to the Adobe Admin Console and upload the IdP metadata file in the Add SAML Profile screen and click Done.

To learn more about the details of each step, follow the hyperlinks.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Caution:

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.

  2. Click Start and select Import data from a relying party from a file, then browse to the location to which you copied the metadata from your Adobe Admin Console.

  3. Name your relying party trust and enter any additional notes as required.

    Click Next.

  4. Determine if multi-factor authentication is required and select the relevant option.

    Click Next.

  5. Determine if all users can log on via AD FS.

    Click Next.

  6. Review your settings.

    Click Next.

  7. Your relying party trust has been added.

    Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.

    Click Close.

  8. If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.

  9. Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    Note:

    As shown in the above screenshot, we suggest using email address as the primary identifier. You can also use the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the email address. However, we do not recommend this to configure Claim Rule.

    Often the UPN does not map to an email address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.

  10. Click Finish to complete adding the transform claim rule.

  11. Again, using the Edit Claim Rules wizard, add a rule using the template. Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

  12. Click Finish to complete adding the transform claim rule.

  13. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

  14. Click Finish to complete the custom rule wizard.

  15. Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.

    Note:

    The order of the claim rules is important; they must appear as shown here.

To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.

Download the AD FS metadata file

  1. Open the AD FS Management application on your server, and within the folder AD FS > Service > Endpoints, select the Federation Metadata.

    Metadata location

  2. Use a browser to navigate to the URL provided against Federation Metadata and download the file. For example, https://<your AD FS hostname>/FederationMetadata/2007-06/FederationMetadata.xml.

    Note:
    • Accept any warnings if prompted.
    • To know your Microrsoft AD FS hostname on a Windows operating system:
      Open Windows PowerShell > Run as Administrator > Type Get-AdfsProperties > Press enter > Look for your Hostname in the detailed list.

Upload IdP metadata file to Adobe Admin Console

To update the latest certificate, return to Adobe Admin Console window. Upload the metadata file downloaded from AD FS to the Add SAML profile screen and click Done.

Next steps: Complete setup to assign apps to users

Once you've set up your directory, do the following to enable your organization's users to use Adobe apps and services:

  1. Add and set up domains within the Admin Console.
  2. Associate the domains with the AD FS directory.
  3. (Optional) If your domains are already established within the Admin Console in another directory, transfer them directly to the newly created AD FS directory.
  4. Add product profiles to fine-tune the usage of your purchased plans.
  5. Test your SSO setup by adding a test user.
  6. Choose you user-management strategy and tools based on your requirements. Then, add users to the Admin Console and assign them to product profiles to get users started with their Adobe apps.

To learn more about other identity-related tools and techniques, see Set up identity.

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.

If you encounter problems, see our troubleshooting document. If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket with Customer Support.

Adobe logo

Sign in to your account