Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token, the domain can be configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Azure, a cloud-based service which facilitates secure identity management.

The Azure AD uses the userPrincipalName attribute or allows you to specify the attribute (in a custom installation) to be used from on-premises as the user principal name in Azure AD. If the value of the userPrincipalName attribute doesn't correspond to a verified domain in Azure AD, then Azure AD replaces it with a default .onmicrosoft.com value.

When a user authenticates to the application, Azure AD issues a SAML token to the app that contains information (or claims) about users that uniquely identifies them. By default, this information includes a user's username, email address, first name, and last name. You can view or edit the claims sent in the SAML token to the application under the Attributes tab and release the user name attribute.

Prerequisites

Before configuring a domain for single sign-on using Microsoft Azure as the IdP, the following requirements must be met:

  • An approved domain for your Adobe organization account. The status of the domain in the Adobe Admin Console must be Configuration Required.
  • Microsoft Azure dashboard is accessible.

Creating SSO Application in Azure for Adobe

To configure SSO in Azure, perform the below steps:

  1. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and click New Application.

  2. Under Add from the gallery, enter "Adobe Creative Cloud" in the search field

  3. Select Adobe Creative Cloud, and click "Add" and wait for the process to complete.

  4. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and select your new Adobe Creative Cloud connector application.

  5. Click Single Sign-On, and select the mode for this connector application as "SAML-based single sign-on"

  6. Enter dummy information in the "identifier" and "Reply URL" fields, such as https://adobe.com/ 

  7. Enter the below URL in the Issuer/Reply URL fields, and click Next.

    https://adobe.com

  8. Click Certificate (base 64) to download the certificate file.

  9. Save these settings using the "Save" link at the top of the page.

Assigning Users via Azure

To assign users via Microsoft Azure to permit them to log in using the Adobe Creative Cloud connector, perform the steps below. Note that you will still need to assign licenses via the Adobe admin console.

  1. Navigate to Azure Active Directory -> Enterprise Applications -> All Applications, and select your Adobe Creative Cloud connector application.

  2. Click Users and groups

  3. Click Add user to select users to assign to this connector which will allow them to sign in via Single Sign-On.

  4. Click Users or Groups and select one or more users or groups to be permitted to log in to Creative Cloud, then click Select followed by Assign.

Adding Required Attributes via Azure

To add attributes via Azure, perform the below steps:

  1. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and select your new Adobe Creative Cloud connector application.

  2. Click Single sign-on

  3. Click the tick-box to View and edit all other user attributes

  4. Edit the SAML Token Attributes as follows, leaving the namespace blank for each entry:

     

    NAME                    VALUE                    NAMESPACE

    FirstName                user.givenname

    LastName                user.surname

    Email                       user.mail

     

    NOTE: It is also possible to use the value of user.userprincipalname which is the preferred option for some configurations. This is not reccomended, because end users may not receive notifications if there is no alias for their e-mail address which allows an e-mail to be sent to their User Principal Name, for example if the username is jbloggs@example.com and the UPN is joe.bloggs@example.com there would need to be an alias which allows the longer address to be used for incoming e-mail if it is used as the primary identifier for Single Sign-On with Adobe Creative Cloud.

    screen_shot_2018-01-10at151733
  5. Click Save at the top of the page to apply the changes

Configure Azure inside Adobe Admin Console

To Configure Single Sign-On for your domain, enter the required information using the Set Up Domain wizard in the Adobe Admin Console.

  1. Upload the certificate that you saved in the previous step.

  2. Enter your Azure details.

    • IDP Binding: HTTP-REDIRECT
    • User Login Setting: Email address
    • IDP issuer: Issuer URL in Azure
    • IDP Login URL: SSO Service URL in Azure
    Set Up Domain
  3. Click Complete Configuration.

  4. To save the SAML XML Metadata file, click Download Metadata. Use this file to configure your SAML integration with Azure.

    The file contains Adobe’s EntityID URL and AssertionConsumerService URL.

    picture1_copy
  5. Click Activate Domain.

    Your domain is now active.

Finalize Configuration within Azure

As a finalization step, to download the updated security certificate from Azure, perform the below steps:

  1. Within Azure, navigate to Adobe Create Cloud > Configure Single Sign-on.

  2. Enter the following values and click Next.

    • Use the EntityID value Adobe provided you for ISSUER URL:
      This address takes the following form: https://www.okta.com/saml2/service-provider/spi1t5qwd3rI7onSs0x78
    • Use the AssertionConsumerService value Adobe provided you for REPLY URL:
      This address takes the following form: https://adbe-jackstromberg-dot-com-a8bd-prd.okta.com/auth/saml20/accauthlinktest
    sso_urls
    download_cert
  3. Select the confirmation box and click Next.

    Azure3

Finalize Configuration within Adobe Admin Console

To update the latest certificate to the Adobe Admin Console, perform the below steps:

  1. Return to the Adobe Admin Console, and navigate to Settings > Identity.

  2. Click the name of the relevant domain, and click Edit SSO Configuration.

  3. Upload the latest certificate, since the dummy values were changed.

    Edit SSO Configuration
  4. Click Save.

Testing User Access

To test the user access, perform the following steps:

  1. Ensure that you assign the users via Azure.

  2. Also, ensure that you add users within the Adobe Admin console as Federated ID and assign them to a group for entitlement.

  3. At this point, type your email address/upn into the Adobe sign-in form, press tab, and you are federated back to Azure AD:

    • Web access: www.adobe.com > sign in
    • Within the desktop app utility > sign in
    • Within the application > help > sign in

If you need assistance with the Azure single sign-on configuration, navigate to Adobe Admin Console > Support, and open a ticket.

Šis darbas yra licencijuotas pagal licenciją „Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License“  „Twitter™“ ir „Facebook“ skelbimams „Creative Commons“ sąlygos netaikomos.

Teisiniai pranešimai   |   Privatumo internete politika