Overview

1.setup-identity

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once the domain is verified, the directory containing the domain is configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Active Directory Federation Services, or AD FS. To use AD FS, a server must be configured which is accessible from the workstations on which users will be logging-in, and which has access to the directory service within the corporate network. This document aims to describe the process necessary to configure the Adobe Admin Console and a Microsoft AD FS server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

The IdP does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.


Примітка.

Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.

Prerequisites

Before creating a directory for single sign-on using Microsoft AD FS, the following requirements must be met:

  • A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates. If you want the users to use Adobe products with macOS, ensure that your server supports TLS version 1.2 and forward secrecy.
  • The server must be accessible from users' workstations (for example, via HTTPS).
  • Security certificate obtained from the AD FS server.
  • All Active Directory accounts to be associated with a Creative Cloud for enterprise account must have an email address listed within Active Directory.

Create a directory in the Adobe Admin Console

To configure single sign-on for your domain, do the following:

  1. Sign in to the Admin Console and start with creating a Federated ID directory, selecting Other SAML Providers as the identity provider. Download the Adobe metadata file from the Add SAML Profile screen.
  2. Configure AD FS specifying the ACS URL and Entity ID, and download the IdP metadata file.
  3. Return to the Adobe Admin Console and upload the IdP metadata file in the Add SAML Profile screen and click Done.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Увага!

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.

  2. Click Start and select Import data from a relying party from a file, then browse to the location to which you copied the metadata from your Adobe Admin Console.

    08_-_import_metadata
  3. Name your relying party trust and enter any additional notes as required.

    Click Next.

    09_-_name_relyingpartytrust
  4. Determine if multi-factor authentication is required and select the relevant option.

    Click Next.

  5. Determine if all users can log on via AD FS.

    Click Next.

  6. Review your settings.

    Click Next.

  7. Your relying party trust has been added.

    Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.

    Click Close.

  8. If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.

  9. Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    10_-_add_transformationclaimrule
    11_-_map_ldap_attributestooutgoingclaimtype

    Примітка.

    As shown in the above screenshot, we suggest using email address as the primary identifier. You can also use the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the email address. However, we do not recommend this to configure Claim Rule.

    Often the UPN does not map to an email address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.

  10. Click Finish to complete adding the transform claim rule.

  11. Again, using the Edit Claim Rules wizard, add a rule using the template. Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

    12_-_transform_anincomingclaim
    13_-_transform_incomingclaim
  12. Click Finish to complete adding the transform claim rule.

  13. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

    14_-_add_custom_rule
    15_-_custom_claimrule
  14. Click Finish to complete the custom rule wizard.

  15. Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.

    16_-_edit_claim_rules

    Примітка.

    The order of the claim rules is important; they must appear as shown here.

To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.

Download the AD FS metadata file

  1. Open the AD FS Management application on your server, and within the folder AD FS > Service > Endpoints, and select the Federation Metadata.

    Metadata location
  2. Use a browser to navigate to the URL provided against Federation Metadata and download the file. For example, https://<your AD FS hostname>/FederationMetadata/2007-06/FederationMetadata.xml.

    Примітка.

    Accept any warnings if prompted.

Upload IdP metadata file to Adobe Admin Console

To update the latest certificate, return to Adobe Admin Console. Upload the metadata file downloaded from AD FS to the Add SAML profile screen and click Done.

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.

If you encounter problems, see our troubleshooting document. If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket with Customer Support.

Цей документ захищено ліцензією Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Публікації Twitter™ і Facebook не підпадають під умови ліцензії Creative Commons.

Юридична інформація   |   Політика мережевої конфіденційності