Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token, the domain can be configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Active Directory Federation Services, or AD FS. To use AD FS, a server must be configured which is accessible from the workstations on which users will be logging-in, and which has access to the directory service within the corporate network. This document aims to describe the process necessary to configure the Adobe Admin Console and a Microsoft AD FS server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

The IdP does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.

Prerequisites

Before configuring a domain for single sign-on using Microsoft AD FS, the following requirements must be met:

  • An approved directory on your Adobe Admin Console set for Federated ID either awaiting configuration, or previously configured for another IdP
  • The relevant domain has been claimed within your federated directory
  • A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates. If you want the users to use Adobe products with macOS, ensure that your server supports TLS version 1.2 and forward secrecy.
  • The server must be accessible from users' workstations (for example, via HTTPS)
  • Security certificate obtained from the AD FS server
  • All Active Directory accounts to be associated with a Creative Cloud for Enterprise account must have an email address listed within Active Directory.

The process of setting up a directory and claiming a domain within it on your Admin Console are both described on the page Set up identity. Once added, a directory can be configured for single sign-on before a domain is claimed, but to create Federated ID users, you must claim the domain name in which they exist.

The name of the directory is arbitrary, but the domain linked to your directory must fully match the part of the email address after the '@' symbol. If you also want to use subdomains, they must be claimed separately.

Poznámka:

Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.

Download the Token-Signing Certificate

  1. Open the AD FS Management application on your server, and within the folder AD FS -> Service -> Certificates, select the Token Signing certificate.

    Poznámka:

    The Token Signing certificate expires on the given Expiration Date. After it expires, renew the certificate, download it, and upload to the Adobe Admin Console again.

  2. To open the certificate properties window, Click View Certificate.

    token_signing_certificate
  3. From the Details tab, click Copy to File and use the wizard to save the certificate as Base-64 encoded X. 509 (.CER). This format is equivalent to a PEM format certificate.

    02_-_certificateexportwizard

Configure your Directory on the Adobe Admin Console

To configure single sign-on for your directory, enter the required information in your Adobe Admin Console and download the metadata for configuring your Microsoft AD FS server.

  1. Sign in to your Admin Console and navigate to Settings > Identity.

  2. Go to the Directories tab.

  3. Click Configure next to the directory that you want to configure.

    03_-_configure_directory
  4. Upload the certificate that you saved from your Microsoft AD FS server.

  5. Select HTTP - Redirect as the IdP binding.

  6. Select Email as the User login setting.

  7. On your AD FS server in the AD FS Management application, select the entry at the top of the tree, AD FS, and click Edit Federation Service Properties. On the General tab of the pop-up window, copy the Federation Service Identifier.

    For example: http://adfs.example.com/adfs/services/trust

    05_2_-_federationserviceproperties
  8. Paste the Federation Service Identifier that you copied into your Adobe Admin Console in the IdP Issuer field.

    Poznámka:

    The IdP Issuer field is used to identify the server, and is not a URL which is accessed by users when connecting to the server. For security reasons, your AD FS server must only be accessible via HTTPS, not via insecure HTTP.

  9. Obtain the host name of your IdP server (this is often the same as the Federation Service name), prefix the protocol https:// and suffix the path /adfs/ls to construct the IdP login URL.

    For example: https://adfs.example/com/adfs/ls/

  10. Enter the IdP login URL on your Adobe Admin Console.

  11. Click Save.

    admin_console_-_adfs-configuredirectory
  12. To save the SAML XML Metadata file on your computer, click Download Metadata. This file will be used to configure a relying party trust on your AD FS server in the remainder of this document.

  13. Select the check box to show that you understand the need to complete the configuration with your identity provider. This will be done in the next steps on your AD FS server.

    configure_directoryanddownloadmetadata
  14. Copy the XML metadata file to your AD FS server to be able to import it into the AD FS Management application.

  15. Click Complete to finish configuration of your directory.

Add one or more domains to your directory

  1. On your Adobe Admin Console, navigate to Settings > Identity.

  2. In the Domains tab, click Add Domains.

  3. In the Enter Domains screen, enter a list of up to 15 domains, and click Add Domains.

  4. In the Add Domains screen, verify that the list of domains and click Add Domains.

  5. Your domains are now added to the Admin Console. However, you still have to demonstrate ownership of these domains.

  6. On the Domains page, click validate domain against any domain which requires validation.

  7. Copy the DNS token displayed by clicking copy record value, and on your DNS configuration, create a TXT record containing this token to the settings for each domain which you have added to validate them.

    This token will be the same for all domains added within your Adobe Admin Console, so it can be reused for other domains added at a later stage.

    The token does not need to remain in place once a domain has been validated.

    validate_domain_ownership
  8. You can check if a TXT record has propagated to other DNS servers online using a website such as MXToolbox, or from the command line using the command nslookup on a Windows, Linux or Mac OS system as follows:

    $ nslookup
    > set TYPE=TXT
    > example.com
    [..]
    example.com     text = "adobe-idp-site-verification=36092476-3439-42b7-a3d0-8ba9c9c38a6d"

  9. In the Validate Domain Ownership screen, click Validate Now.

    If the DNS token is correctly detected as a TXT record against the domain, it will be validated and you can begin using it straightaway. Domains which do not validate initially are checked in the background periodically, and will become validated once the DNS token is correctly validated.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Výstraha:

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.

  2. Click Start and select Import data from a relying party from a file, then browse to the location to which you copied the metadata from your Adobe Admin Console.

    08_-_import_metadata
  3. Name your relying party trust and enter any additional notes as required.

    Click Next.

    09_-_name_relyingpartytrust
  4. Determine if multi-factor authentication is required and select the relevant option.

    Click Next.

  5. Determine if all users can log on via AD FS.

    Click Next.

  6. Review your settings.

    Click Next.

  7. Your relying party trust has been added.

    Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.

    Click Close.

  8. If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.

  9. Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    10_-_add_transformationclaimrule
    11_-_map_ldap_attributestooutgoingclaimtype

    Poznámka:

    As shown in the above screenshot, we suggest using email address as the primary identifier. The use of the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the email address is not recommended. While it is possible to use UPN as the LDAP attribute, this is not an officially supported configuration, and you do so at your own risk.

    Often the UPN does not map to an email address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.

  10. Click Finish to complete adding the transform claim rule.

  11. Again, using the Edit Claim Rules wizard, add a rule using the template Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

    12_-_transform_anincomingclaim
    13_-_transform_incomingclaim
  12. Click Finish to complete adding the transform claim rule.

  13. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

    14_-_add_custom_rule
    15_-_custom_claimrule
  14. Click Finish to complete the custom rule wizard.

  15. Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.

    16_-_edit_claim_rules

    Poznámka:

    The order of the claim rules is important; they must appear as shown here.

  16. Ensure that your new Relying Party Trust is selected, and click Properties on the right-hand-side of the window. Select the Advanced tab, and ensure that the Secure hash algorithm is set to SHA-1.

    17_-_relying_partytrustproperties

    Poznámka:

    To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.

If you encounter problems, see our troubleshooting document. If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket with Customer Support.

Licencia na používanie tohto diela sa poskytuje v súlade s podmienkami licencie Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Na príspevky v sociálnych sieťach Twitter™ a Facebook sa nevzťahujú podmienky licencií Creative Commons.

Právne upozornenia   |   Zásady ochrany osobných údajov online