Manage SAML-based SSO for Microsoft Azure
New feature alert

This article describes the older SAML-based set-up for Microsoft Azure AD.

For new configurations, it is recommended to use the Azure AD Connector, which can be set up within minutes and shortens the process of Domain Claim, SSO-setup, and user-sync.


Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once the domain is verified, the directory containing the domain is configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Azure, a cloud-based service which facilitates secure identity management.

The Azure AD uses the userPrincipalName attribute or allows you to specify the attribute (in a custom installation) to be used from on-premises as the user principal name in Azure AD. If the value of the userPrincipalName attribute does not correspond to a verified domain in Azure AD, it will be replaced with a default .onmicrosoft.com value.

When a user authenticates to the application, Azure AD issues a SAML token to the app that contains information (or claims) about users that uniquely identifies them. By default, this information includes a user's username, email address, first name, and last name. You can view or edit the claims sent in the SAML token to the application under the Attributes tab and release the user name attribute.

Configure single sign-on using Azure

To configure single sign-on for your domain, do the following:

  1. Sign in to the Admin Console and start with creating a Federated ID directory, selecting Other SAML Providers as the identity provider. Copy the values for ACS URL and Entity ID from the Add SAML Profile screen.
  2. Configure Azure specifying the ACS URL and Entity ID, and download the IdP metadata file.
  3. Return to the Adobe Admin Console and upload the IdP metadata file in the Add SAML Profile screen and click Done.

Creating SSO Application in Azure for Adobe

Ensure that Microsoft Azure dashboard is accessible and you are logged in as an administrator to be able to create a new enterprise application.

To configure SSO in Azure, perform the below steps:

  1. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and click New Application.

  2. Under Add from the gallery, enter "Adobe Creative Cloud" in the search field

  3. Select Adobe Creative Cloud, rename your connector and click Add and wait for the process to complete.

    add_application
  4. Navigate to Azure Active Directory > Enterprise Applications > All Applications, and select your new Adobe Creative Cloud connector application to move to the Overview page.

  5. Select Single sign-on > SAML.

    SAML
  6. In the Basic SAML Configuration, enter the Entity ID and ACS URL copied from Adobe Admin Console. Then, click Save.

    Basic SAML config
  7. To format the SAML Token Attributes, click the Edit button and open the User Attributes dialog. Then, click Add new claim to edit the attributes on the User Attributes & Claims page as follows, leaving the Namespace entry blank.

    NAME VALUE NAMESPACE
    FirstName user.givenname  
    LastName user.surname  
    Email user.mail  
  8. When all the attributes are set to match the following values, close the User Attributes & Claims page.

    User attribute

    Note:

    • To authenticate users by email, set UserIdentifier to user.mail. To authenticate users by UserPrincipalName, set UserIdentifier to user.userprincipalname.
    • Users must have a valid Office 365 ExO license for email claim value to be added in the SAML response.

  9. From the SAML Signing Certificate section, download the Certificate (Base64) file and save it to your computer.

    SAML Signing Certificate
  10. Then, copy the appropriate URLs from the Set up <Name> section as per your requirement.

    Set up
  11. Click the 'X' to close the documentation page on the Azure portal, and return to the Enterprise Application configuration window for your Adobe SSO connector.

  12. Within the "SAML Signing Certificate" section, click Certificate (base 64) on the right side to download the certificate file.

Upload IdP metadata file to Adobe Admin Console

To update the latest certificate to the Adobe Admin Console, return to the Adobe Admin Console. Upload the certificate downloaded from Azure, to the Add SAML profile screen and click Done.

Assigning Users via Azure

To assign users via Microsoft Azure to permit them to log in using the Adobe Creative Cloud connector, perform the steps below. You must also assign licenses via the Adobe admin console.

  1. Navigate to Azure Active Directory -> Enterprise Applications -> All Applications, and select your Adobe Creative Cloud connector application.

  2. Click Users and groups.

  3. Click Add user to select users to assign to this connector which will allow them to sign in via Single Sign-On.

  4. Click Users or Groups and select one or more users or groups to be permitted to log in to Creative Cloud, then click Select followed by Assign.

Testing User Access

Check the user access for a user who you have defined in your own identity management system and in the Adobe Admin Console, by logging in to the Adobe website or the Creative Cloud desktop app.

If you encounter problems, see our troubleshooting document.

If you need assistance with your single sign-on configuration, navigate to Adobe Admin Console > Support to contact us.