The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token, the domain can be configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Azure, a cloud-based service which facilitates secure identity management.

The Azure AD uses the userPrincipalName attribute or allows you to specify the attribute (in a custom installation) to be used from on-premises as the user principal name in Azure AD. If the value of the userPrincipalName attribute doesn't correspond to a verified domain in Azure AD, then Azure AD replaces it with a default .onmicrosoft.com value.

When a user authenticates to the application, Azure AD issues a SAML token to the app that contains information (or claims) about users that uniquely identifies them. By default, this information includes a user's username, email address, first name, and last name. You can view or edit the claims sent in the SAML token to the application under the Attributes tab and release the user name attribute.


Before configuring a domain for single sign-on using Microsoft Azure as the IdP, the following requirements must be met:

  • An approved domain for your Adobe organization account. The status of the domain in the Adobe Admin Console must be Configuration Required.
  • Microsoft Azure dashboard is accessible.

Creating SSO Application in Azure for Adobe

To configure SSO in Azure, perform the below steps:

  1. Navigate to Active Directory > Your Azure Active Directory > Applications, and click Add.

  2. Click Add an Application From the Gallery.

  3. Select Custom, and type Adobe Creative Cloud.

  4. Select Adobe Creative Cloud, and then click Complete to add it.             

  5. Click Configure Single Sign-on.

  6. Select Microsoft AD Single Sign-On, and click Next.

  7. Enter the below URL in the Issuer/Reply URL fields, and click Next.


  8. Click Download Certificate, and then save the certificate file.

  9. Select the single sign-on configuration confirmation, and click Complete.

Assigning Users via Azure

To assign users via Microsoft Azure, perform the below steps:

  1. Select Assign Accounts.

  2. Select Show All Users. Then, select the check box.

  3. Select a user to grant access to the application, and click Assign.

  4. Click Yes to confirm.

Adding Required Attributes via Azure

To add attributes via Azure, perform the below steps:

  1. Navigate to Attributes, and click Add User Attribute.

  2. Create the following attributes:

    • FirstName (givenname)
    • LastName (surname)
    • Email (mail)
  3. Click Apply Changes.

Configure Azure inside Adobe Admin Console

To Configure Single Sign-On for your domain, enter the required information using the Set Up Domain wizard in the Adobe Admin Console.

  1. Upload the certificate that you saved in the previous step.

  2. Enter your Azure details.

    • IDP Binding: HTTP-REDIRECT
    • User Login Setting: Email address
    • IDP issuer: Issuer URL in Azure
    • IDP Login URL: SSO Service URL in Azure
    Set Up Domain
  3. Click Complete Configuration.

  4. To save the SAML XML Metadata file, click Download Metadata. Use this file to configure your SAML integration with Azure.

    The file contains Adobe’s EntityID URL and AssertionConsumerService URL.

  5. Click Activate Domain.

    Your domain is now active.

Finalize Configuration within Azure

As a finalization step, to download the updated security certificate from Azure, perform the below steps:

  1. Within Azure, navigate to Adobe Create Cloud > Configure Single Sign-on.

  2. Enter the following values and click Next.

    • Use the EntityID value Adobe provided you for ISSUER URL:
      This address takes the following form: https://www.okta.com/saml2/service-provider/spi1t5qwd3rI7onSs0x78
    • Use the AssertionConsumerService value Adobe provided you for REPLY URL:
      This address takes the following form: https://adbe-jackstromberg-dot-com-a8bd-prd.okta.com/auth/saml20/accauthlinktest
  3. Select the confirmation box and click Next.


Finalize Configuration within Adobe Admin Console

To update the latest certificate to the Adobe Admin Console, perform the below steps:

  1. Return to the Adobe Admin Console, and navigate to Settings > Identity.

  2. Click the name of the relevant domain, and click Edit SSO Configuration.

  3. Upload the latest certificate, since the dummy values were changed.

    Edit SSO Configuration
  4. Click Save.

Testing User Access

To test the user access, perform the following steps:

  1. Ensure that you assign the users via Azure.

  2. Also, ensure that you add users within the Adobe Admin console as Federated ID and assign them to a group for entitlement.

  3. At this point, type your email address/upn into the Adobe sign-in form, press tab, and you are federated back to Azure AD:

    • Web access: www.adobe.com > sign in
    • Within the desktop app utility > sign in
    • Within the application > help > sign in

If you need assistance with the Azure single sign-on configuration, navigate to Adobe Admin Console > Support, and open a ticket.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy