Difference between revisions of "Adobe Cloud"

From Studentnet Wiki
Jump to navigation Jump to search
Line 1: Line 1:
When setting up Adobe Cloud one of your first tasks is to define and set up an identity system against which your end users will be authenticated. As your organization purchases licenses for Adobe products and services, you will need to provision those licenses to your end users. And for this, you will need a way to authenticate these users. Adobe provides multiple identity types but the main identity type that you can use to authenticate users is Enterprise ID.
+
These instructions are for Adobe Single Sign On
  
 
===SSO Setup with Adobe===
 
===SSO Setup with Adobe===
Line 30: Line 30:
  
 
If your organization wants to test SSO integration, it is recommended that you claim a test domain that you own, as long as your organization has an Identity Provider with identities set up in that test domain. This allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.
 
If your organization wants to test SSO integration, it is recommended that you claim a test domain that you own, as long as your organization has an Identity Provider with identities set up in that test domain. This allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.
 +
 +
===Verifying Domain with Adobe===
 +
#Contact Adobe support with the following information:
 +
#*Email address of your Adobe Sign Account Adminstrator
 +
#*The domain that needs to be claimed. Eg. <schoolname>.nsw.edu.au
 +
#Wait for a reply from Adobe giving a TXT record.
 +
#Publish the TXT record in the domain you wished to claim
 +
  
 
===Configure SAML Settings===
 
===Configure SAML Settings===

Revision as of 05:07, 15 June 2021

These instructions are for Adobe Single Sign On

SSO Setup with Adobe

To set up a directory:

  1. Login to Adobe Admin Console here
  2. Navigate to Settings>Create Directory
  3. Enter a directory name
  4. Select Federated ID
  5. Adobe will provision the directory. This usually takes up to 48 hours.

SSO Setup with Cloudwork

After you receive the email from Adobe confirming that your directory is provisioned, configure the SAML settings for the directory.

SSO requirements

To successfully set up SSO for Adobe software, IT Admins need the following:

  • An understanding of SAML 2.0
  • An Identity Provider (IdP) that supports SAML 2.0, and at a minimum must have:
    • IDP Certificate
    • IDP Login URL
    • IDP Binding: HTTP-POST or HTTP-Redirect
    • Assertion consumer service URL
  • Access to your DNS configuration for the domain claim process

The login URL of the IdP does not need to be externally accessible for users to be able to access it for logging in. However, if it is only reachable within the organization's internal network, users can only log in to Adobe products when they are connected to the organization's internal network either directly, via wifi or via VPN. It is not necessary for the login page to be accessible only via HTTPS, but it is recommended for security reasons.

If your organization wants to test SSO integration, it is recommended that you claim a test domain that you own, as long as your organization has an Identity Provider with identities set up in that test domain. This allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.

Verifying Domain with Adobe

  1. Contact Adobe support with the following information:
    • Email address of your Adobe Sign Account Adminstrator
    • The domain that needs to be claimed. Eg. <schoolname>.nsw.edu.au
  2. Wait for a reply from Adobe giving a TXT record.
  3. Publish the TXT record in the domain you wished to claim


Configure SAML Settings

You can find this information in the Cloudwork Dashboard under Features > Single Sign On > Identity Provider:

  • IdP Certificate: Download it from your dashboard
  • IdP Binding: Redirect
  • IdP Issuer: Your Entity ID
  • IdP Login URL: Your Sign On Endpoint

When prompted to download the metadata file, you can either email it to us and we will import it for you, or you can follow the instructions below:

1. Go to your Cloudwork dashboard.

2. Click Add New Service.

3. Click Upload an XML File.

  • Give the service a recognisable name (eg, Adobe Enterprise), select the file, and click Submit.

4. Go back to the Services List and select the newly created service.

5. Edit the Attribute Map and update the "Maps to" values as follows:

  • First Name: FirstName
  • Last Name: LastName
  • Email: Email

6. Click Submit.

7. In the SAML Configuration section edit the newly created service and change NameID Value to Email or Username, depending on your chosen identifier (ie. the User login setting which you specified on the Adobe form).

8. Click Submit.

9. Proceed with configuring Adobe.


Migrating Adobe SSO from SHA1 to SHA256

This step is only needed to be done if in the Adobe Admin Console, your directory is complaining of a deprecated IdP certificate.

Adobe Side:

  1. In Adobe Admin Console>Settings>Directories.
  2. Select the Edit action for the directory. Then click Details>“Select Add new IdP”
  3. Select Other SAML providers. Click Next.
  4. Save Adobe’s XML file from the Adobe Admin Console
  5. Login to Cloudwork Dashboard, navigate to Single Sign On>Identity Provider
  6. Under XML, Click download and save Cloudwork’s XML file.
  7. Upload Cloudwork’s XML file to the Adobe Admin Console. Then, click Save

Cloudwork Side:

  1. Login Cloudwork Dashboard, navigate to Single Sign On>Add New service
  2. Click Adobe Cloud
  3. Upload Adobe’s XML file and click Submit
  4. Go the service>SAML Config>Edit
  5. In Signature Algorithm, select SHA256
  6. Click Submit

Testing SSO Service:

  1. In the Adobe Admin Console>Directory details, choose the new authentication profile you just created.
  2. Click Test to verify whether the configuration is set up correctly.
  3. If Test passes, Click Activate to migrate to the new authentication profile. Once done, the new profile displays In use.
  4. After activating, make sure the value of the Subject field in the assertion from the new SAML configuration matches the existing users' username format in the Admin Console.