Copy the downloaded metadata file to the following location and rename the file to adobe-sp-metadata.xml:
%{idp.home}/metadata/
The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once the domain is verified, the directory containing the domain is configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.
One such IdP is Shibboleth. To use Shibboleth, you need a server that is accessible from the Internet and has access to the directory services within the corporate network. This document describes the process to configure the Admin Console and a Shibboleth server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.
Access to the IdP is commonly achieved using a separate network configured with specific rules to allow only specific types of communication between servers and the internal and external network, referred to as a DMZ (demilitarized zone). The configuration of the operating system on this server and the topology of such a network is beyond the scope of this document.
Before configuring a domain for Single Sign-on using Shibboleth IDP, the following requirements must be met:
Steps to configure Shibboleth IDP with Adobe SSO described in this document have been tested with Version 3.
To configure single sign-on for your domain, do the following:
After you have downloaded the SAML XML Metadata file from the Adobe Admin Console, follow the below steps to update the Shibboleth configuration files.
Copy the downloaded metadata file to the following location and rename the file to adobe-sp-metadata.xml:
%{idp.home}/metadata/
Update the file to ensure the correct information is passed back to Adobe.
Replace the following lines in the file:
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
With:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
Also, replace:
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
With:
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
Edit the metadata-providers.xml file.
Update the %{idp.home}/conf/metadata-providers.xml with the location of the adobe-sp-metadata.xml metadata file (line 29 below) that you created in Step 1 above.
<!-- <MetadataProvider id="HTTPMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml" metadataURL="http://WHATEVER"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> --> <!-- Example file metadata provider. Use this if you want to load metadata from a local file. You might use this if you have some local SPs which are not "federated" but you wish to offer a service to. If you do not provide a SignatureValidation filter, then you have the responsibility to ensure that the contents are trustworthy. --> <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/adobe-sp-metadata.xml"/>
If you are unable to successfully log in to adobe.com, check the following Shibboleth configuration files for any possible issues:
The attribute filter file, which you updated while Configuring Shibboleth, defines the attributes that you need to provide to the Adobe service provider. However, you need to map these attributes to the appropriate attributes as defined in LDAP / Active Directory for your organization.
Edit the attribute-resolver.xml file at the following location:
%{idp.home}/conf/attribute-resolver.xml
For each of the following attributes, specify the source attribute ID as defined for your organization:
<resolver:AttributeDefinition xsi:type="ad:Simple" id="NameID" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="Email" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="Email" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="FirstName" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="FirstName" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="LastName" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="LastName" /></resolver:AttributeDefinition>
Update the relying-party.xml at the following location to support the saml-nameid format as required by the Adobe service provider:
%{idp.home}/conf/relying-party.xml
Update the p:nameIDFormatPrecedence attribute (line 7 below) to include emailAddress.
<bean parent="RelyingPartyByName" c:relyingPartyIds="[entityId"> <property name="profileConfigurations"> <list> <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> <ref bean="SAML1.AttributeQuery" /> <ref bean="SAML1.ArtifactResolution" /> <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:postAuthenticationFlows="attribute-release" p:encryptAssertions="false" /> <ref bean="SAML2.ECP" /> <ref bean="SAML2.Logout" /> <ref bean="SAML2.AttributeQuery" /> <ref bean="SAML2.ArtifactResolution" /> <ref bean="Liberty.SSOS" /> </list> </property> </bean>
Also, to turn off encryption of the assertions, in the section DefaultRelyingParty for each of the SAML2 types:
Replace:
encryptAssertions="conditional"
With:
encryptAssertions=”never"
Update the saml-nameid.xml at the following location:
%{idp.home}/conf/saml-nameid.xml
Update the p:attributeSourceIds attribute (line 3 below) to "#{ {'Email'} }".
<bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'Email'} }" />
To update the Shibboleth metadata file:
Return to the Adobe Admin Console.
Upload the Shibboleth metadata file to the Add SAML profile screen.
After configuring Shibboleth, the metadata file (idp-metadata.xml) is available at the following location on your Shibboleth server:
<shibboleth>/metadata
Click Done.
For more details, see how to create directories on the Admin Console.
Check the user access for a user who you have defined in your own identity management system and in the Adobe Admin Console, by logging in to the Adobe website or the Creative Cloud desktop app.
If you encounter problems, see our troubleshooting document.
If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket.