The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain has been demonstrated by use of a DNS token, the domain can be configured to allow users to log-in to Creative Cloud using e-mail addresses within that domain via an Identity Provider (IdP) - software installed on a server which is accessible from the internet or a cloud service hosted by a third party which allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Active Directory Federation Services, or AD FS. To use AD FS a a server should be configured which is accessible from the internet and which has access to the directory services within the corporate network. This document aims to describe the process necessary to configure the Adobe Admin Console and a Microsoft AD FS server to be able to log-in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

Access to the IdP is commonly achieved using a separate network for which specific rules are configured to only allow specific types of communication between servers and the internal and external network, generally referred-to as a DMZ or Demilitarised Zone. The configuration of the operating system on this server and the topology of such a network is beyond the scope of this document.


Before configuring a domain for single sign-on using Microsoft AD FS, the following requirements should be met:

  • Domain has been claimed in the Adobe Admin Console, showing it as "Active" in the "Domain Status" column
  • AD FS server installed with a compatible version of Microsoft Windows Server and the latest operating system updates and accessible externally (e.g. via HTTPS)
  • Security certificate obtained from the AD FS server
  • All Active Directory accounts to be associated with a Creative Cloud for Enterprise account must have an email address listed within Active Directory.


To configure the Adobe Admin Console, as demonstrated in the screenshot above, perform the following steps:

Upload certificate to the console

  1. On the "Certificates" view of the AD FS 2.0 Management application, select the Token Signing certificate and click "View Certificate..." to open the certificate properties window.
  2. From the Details tab, click "Copy to file..." and use the wizard to save the certificate as "Base-64 encoded X. 509 (.CER)" (this is equivalent to a PEM format certificate).
  3. Upload the saved certificate file to the Adobe Admin Console.

Set configuration values of AD FS server

  1. Copy the IDP issuer URL from Federation Service Properties window on the AD FS server, under the field "Federation Service identifier" (note that the field must match exactly) e.g. http://adfs.example.com/adfs/services/trust - this address does not need to be externally accessible
  2. Determine the IDP login URL, by default for Microsoft AD FS this address will take the form: https://adfs.example.com/adfs/ls/
  3. Select HTTP-REDIRECT as the IDP binding
  4. Leave the User Login Setting as "Email address"

Copy metadata to AD FS server

NOTE: this step and all subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain

  1. Download metadata file from Adobe Admin Console
  2. Copy the file to the AD FS server
  3. Create a new Relying Party Trust on the AD FS server using the metadata file obtained from the console (see screenshot)

Configure claim rules on AD FS server

  1. Using the "Edit Claim Rules" wizard, add a rule using the template "Send LDAP attributes as Claims" for your attribute store, mapping the LDAP Attribute "E-Mail-Addresses" to Outgoing Claim Type "E-Mail Address" (see screenshot)
  1. Again, using the "Edit Claim Rules" wizard, add a rule using the template "Transform an incoming claim" to convert Incoming claims of type "E-Mail Address" with Outgoing Claim Type "Name ID" and Outgoing Name ID Format as "Email", passing through all claim values.
  1. Using the "Edit Claim Rules" wizard, add a rule using the template "Send Claims Using a Custom Rule" containing the following rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

Configure hash algorithm

  1. Modify the properties of your Relying Party Trust entry for the domain you are using with the Adobe Admin Console and on the "Advanced" tab, select a Secure hash algorithm of SHA-1

Test single sign-on

  1. Create a test user with active directory, create an entry on the Adobe Admin Console for this user and assign it a license, then test logging in to http://www.adobe.com/ to confirm that the relevant software is listed for download.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy