The document highlights the process to configure the Adobe Admin Console with a Microsoft AD FS server.
The Identity Provider does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.
Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.
Before creating a directory for single sign-on using Microsoft AD FS, the following requirements must be met:
To configure single sign-on for your domain, you need to do the following:
To learn more about the details of each step, follow the hyperlinks.
To configure SAML integration with AD FS, perform the below steps:
All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.
Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.
Name your relying party trust and enter any additional notes as required.
Click Next.
Determine if multi-factor authentication is required and select the relevant option.
Click Next.
Determine if all users can log on via AD FS.
Click Next.
Review your settings.
Click Next.
Your relying party trust has been added.
Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.
Click Close.
If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.
Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.
As shown in the above screenshot, we suggest using email address as the primary identifier. You can also use the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the email address. However, we do not recommend this to configure Claim Rule.
Often the UPN does not map to an email address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.
Click Finish to complete adding the transform claim rule.
Again, using the Edit Claim Rules wizard, add a rule using the template. Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.
Click Finish to complete adding the transform claim rule.
Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);
Click Finish to complete the custom rule wizard.
Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.
The order of the claim rules is important; they must appear as shown here.
To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.
Open the AD FS Management application on your server, and within the folder AD FS > Service > Endpoints, select the Federation Metadata.
Use a browser to navigate to the URL provided against Federation Metadata and download the file. For example, https://<your AD FS hostname>/FederationMetadata/2007-06/FederationMetadata.xml.
To update the latest certificate, return to Adobe Admin Console window. Upload the metadata file downloaded from AD FS to the Add SAML profile screen and click Done.
Once you've set up your directory, do the following to enable your organization's users to use Adobe apps and services:
To learn more about other identity-related tools and techniques, see Set up identity.
Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.
You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.
If you encounter problems, see our troubleshooting document. If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket with Customer Support.
