Configure Okta for use with Adobe SSO
The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain has been demonstrated by use of a DNS token, the domain can be configured to allow users to log-in to Creative Cloud using e-mail addresses within that domain via an Identity Provider (IdP) - either as a software service which runs within the company network and is accessible from the internet or a cloud service hosted by a third party which allows for the verification of user login details via secure communication using the SAML protocol.
One such IdP is Okta, a cloud service which facilitates secure identity management.
Before configuring a domain for single sign-on using Okta as the IdP, the following requirements should be met:
- Domain has been claimed in the Adobe Admin Console, showing it as "Active" in the "Domain Status" column
- Okta dashboard configured and accessible with administrative rights for the domain in question
1. Begin by filling-out the identity configuration on the Adobe Admin Console with placeholder information as follows:
- Use any IdP certificate which has been provided by Okta for any setup process. This information will be replaced before activation.
- Set the IdP issuer to Okta
- Set the IdP login URL to https://www.adobe.com
- Leave the IdP binding as HTTP-Post
- Leave the user login setting as Email Address
3. Within the Okta dashboard, under Applications -> Add Application, click "Create New App".
4. Fill-out the general settings as follows:
- App name: Adobe Creative Cloud
- App visibility:
- Select "Do not display application icon to users"
- Select "Do not display application icon in the Okta Mobile app"
6. Click "Next"
7. Click "Download Okta Certificate"
8. Change the file extension of the certificate downloaded form the Okta Dashboard to ".cer" to allow it to be uploaded to the Adobe Admin Console.
9. Open the Adobe Admin Console https://adminconsole.adobe.com/enterprise and browse to the "Identity" tab and to the details for the relevant domain.
10. Upload the Okta certificate in the "IDP Certificate" field.
11. Save the settings
12. Click "Download metadata" and save the file
13. Return to the Okta Dashboard and complete the App Setup Wizard. Open the metadata saved from the Adobe Admin Console in a web browser (e.g. Internet Explorer) and copy the values form the following fields, as per the example screenshot below:
14. Click "Show Advanced Settings"
15. Modify the Attribute Statements as follows:
- FirstName = user.firstName
- LastName = user.lastName
- Email = user.email
16. Click "Finish" and access the newly created "Adobe Creative Cloud" app.
17. Go to "Sign-On" -> "View Setup Instructions"
18. Obtain the following information in order to replace the dummy values previously entered into the Adobe Admin Console:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
19. On the Adobe Admin Console, click "Edit Configuration"
20. Fill in the information obtained from the Okta Dashboard as follows:
- IDP Certificate = X.509 Certificate
- IDP Issuer = Identity Provider Issuer
- IDP Login URL = Identity Provider Single Sign-On URL
21. Save the configuration
22. Test with a user which you have defined both in your own identity management system and in the Adobe Admin Console by logging in to https://www.adobe.com/ and also Creative Cloud Desktop.
If you need additional assistance after following the steps in this guide, open a ticket on the Support tab in the Adobe Admin Console.