הערה:

If you are deploying licenses for the first time for your end users in Microsoft Azure AD, use the simpler process within the Admin Console to set up SSO with Microsoft Azure using the Azure AD Connector tool.

Overview

The Adobe Admin Console allows a system administrator to configure domains and directories which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token and it has been linked to a Federated ID directory, users who have email addresses within the claimed domain can log in to Creative Cloud via an Identity Provider system (IdP) once corresponding accounts have been created on the relevant Adobe Admin Console. The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Azure, a cloud-based service which facilitates secure identity management.

The Azure AD uses the userPrincipalName attribute or allows you to specify the attribute (in a custom installation) to be used from on-premises as the user principal name in Azure AD. If the value of the userPrincipalName attribute does not correspond to a verified domain in Azure AD, it will be replaced with a default .onmicrosoft.com value.

When a user authenticates to the application, Azure AD issues a SAML token to the app that contains information (or claims) about users that uniquely identifies them. By default, this information includes a user's username, email address, first name, and last name. You can view or edit the claims sent in the SAML token to the application under the Attributes tab and release the user name attribute.

Prerequisites

Before configuring a domain for single sign-on using Microsoft Azure as the IdP, the following requirements must be met:

  • An approved domain which corresponds to the DNS domain your users reside within, which is linked to a federated directory on your Adobe admin console. For further details, see our general documentation on setting up identity.
  • Microsoft Azure dashboard is accessible and you are logged in as an administrator able to create a new enterprise application

Creating SSO Application in Azure for Adobe

To configure SSO in Azure, perform the below steps:

  1. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and click New Application.

  2. Under Add from the gallery, enter "Adobe Creative Cloud" in the search field

  3. Select Adobe Creative Cloud, rename your connector and click Add and wait for the process to complete.

    add_application
  4. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and select your new Adobe Creative Cloud connector application to move to the Overview page.

  5. In a separate tab of your web browser, sign in to your Adobe Admin Console. Then, go to settings > identity and click the Configure button against the directory you are setting up to access its configuration page. To know more about user identity and directories, see set up identity.

    Configure directory
  6. Go to the Azure Portal window and select Single sign-on > SAML.

    SAML
  7. In the Basic SAML Configuration, add the Identifier (Entry ID) and set the Sign on URL to https://adobe.com. Then, click Save.

    Basic SAML config
  8. To format the SAML Token Attributes, click the Edit button and open the User Attributes dialog. Then, click Add new claim to edit the attributes on the User Attributes & Claims page as follows, leaving the Namespace entry blank.

    NAME VALUE NAMESPACE
    FirstName user.givenname  
    LastName user.surname  
    Email user.mail  
  9. When all the attributes are set to match the following values, close the User Attributes & Claims page.

    User attribute

    הערה:

    • To authenticate users by email, set UserIdentifier to user.mail. To authenticate users by UserPrincipalName, set UserIdentifier to user.userprincipalname.
    • Users need to have a valid Office 365 ExO license for email claim value to be added in the SAML response.

  10. From the SAML Signing Certificate section, download the Certificate (Base64) file and save it to your computer.

    SAML Signinig Certificate
  11. Then, copy the appropriate URLs from the Set up <Name> section as per your requirement.

    Set up
  12. Copy the Azure AD SAML Entity ID from the Azure portal and paste it into the IdP Issuer field of the Identity configuration page for your domain on your Adobe Admin Console.

  13. Copy the Azure AD Single Sign-On Service URL from the Azure portal and paste it into the IdP login URL field of the Identity configuration page for your domain on your Adobe Admin Console.

  14. Click the 'X' to close the documentation page on the Azure portal, and return to the Enterprise Application configuration window for your Adobe SSO connector.

  15. Within the "SAML Signing Certificate" section, click Certificate (base 64) on the right hand side to download the certificate file.

  16. Upload the certificate obtained in the previous step to your Adobe admin console as the IdP certificate, and save these details by clicking complete configuration. Then, click Save.

    01_-_configure_saml
  17. Tick the box to show that you understand the need to complete the configuration with your identity provider. This will be done in the next steps on your Azure portal.

  18. Save the settings for this directory from your Adobe admin console by clicking the button Download Metadata.

    You will be using this file to obtain particular attributes of the configuration.

    configure_directoryanddownloadmetadata
  19. Click Complete to activate the directory.

  20. Open the metadata in a text editor or web browser, and copy the values of the EntityID and AssertionConsumerService respectively to your Azure portal in the Identifier and ReplyURL fields, as shown in the example screenshot below.

    metadata_example
    • Use the URL of the EntityID from the metadata in the Identifier field in your Azure configuration:
      This address takes the following form: https://www.okta.com/saml2/service-provider/spi1t5qdd3rI7onSl0x78
    • Use the URL of the AssertionConsumerService for the Reply URL in your Azure configuration
      This address takes the following form: https://adbe-example-dot-com-a8bd-prd.okta.com/auth/saml20/accauthlinktest
  21. Save these settings on your Azure portal using the "Save" link at the top of the page.

Assigning Users via Azure

To assign users via Microsoft Azure to permit them to log in using the Adobe Creative Cloud connector, perform the steps below. Note that you will still need to assign licenses via the Adobe admin console.

  1. Navigate to Azure Active Directory -> Enterprise Applications -> All Applications, and select your Adobe Creative Cloud connector application.

  2. Click Users and groups

  3. Click Add user to select users to assign to this connector which will allow them to sign in via Single Sign-On.

  4. Click Users or Groups and select one or more users or groups to be permitted to log in to Creative Cloud, then click Select followed by Assign.

Testing User Access

To test the user access, perform the following steps:

  1. Ensure that you assign the users via Azure.

  2. Also, ensure that you add users within the Adobe Admin console as Federated ID and assign them to a group for entitlement.

  3. At this point, type your email address/upn into the Adobe sign-in form, press tab, and you are federated back to Azure AD:

    • In a web browser: www.adobe.com click sign in at the upper-right corner of the page
    • Within the Creative Cloud Desktop application
    • From an Adobe Creative Cloud application such as Photoshop or Illustrator from the menu Help > Sign in...

If you encounter problems, see our troubleshooting document.

If you need further assistance with your single sign-on configuration, navigate to your Adobe Admin Console and open the Support section and open a ticket, or click support on the Adobe website.

עבודה זו בוצעה ברישיון של Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  הודעות המתפרסמות ב- Twitter™‎ ו- Facebook אינן מכוסות בתנאי Creative Commons.

הצהרות משפטיות   |   מדיניות פרטיות מקוונת