Using your Edugate Shibboleth Identity Provider to login to Adobe (e.g. Creative Cloud)

In order to complete the configuration process, you must be an identity administrator with appropriate access privileges for both your Adobe organization account and your IdP account. You must have the following:

  • A working SAML 2.0 compliant IdP (this article is for Shibboleth 2.x and 3.x)
  • Administrative access to both the Adobe Enterprise Dashboard and the Edugate Federation Manager.
  • Access to the Edugate Resource Registry
  • An approved domain claim for your Adobe organization account.

Step 1. Obtain the IdP details from the Edugate Registry

Login to the Registry at https://edugate.heanet.ie/rr3, click on the Identity Provider menu and enter your organisation name in the search field, click on your organisation when it apperars in the search results. On the 'General' tab, make a note on the entityID. On the 'Metadata' tab, click the 'SAML'  sub-tab make a note of the URL in the IDPSSODescriptor section that corresponds to the HTTP-POST SAML2 binding. Still on the 'SAML' sub-tab, click on  'Certificates' , and click on the 'certificate body' link in the IDPSSODescriptor section. Copy the expanded text including the '-----BEGIN CERTIFICATE----- and '-----END CERTIFICATE-----' text and save the copied text to a file using a text editor (use the .pem file extension).

Step 2. Enter IdP details in the Adobe Enterprise Dashboard

Use the SSO configuration page in the Adobe Enterprise Dashboard to enter the required information for your IdP.

You must fill in these fields using the data you noted in step 1.

  • IDP Certificate: The PEM-format certificate in your IdP metadata. The file must have the extension .crt
  • IDP issuer: The entity ID of your IdP.
  • IDP Login URL: URL you copied from the 'SAML' tab of the registry.
  • IDP binding: HTTP-POST
  • User login setting: Choose  simple username (email can also be used if Adobe accounts have been provisioned with email addresses)

When you click Save, Adobe creates and configures a service provider for your organization. A link on the screen provides access to the metadata file for the new service provider (Adobe Metadata). Download that file and send it to noc@henaet.ie requesting that the Adobe metadata is added to your Edugate circle of trust. Alternatively, register the Adobe Metadata in the Registry at https://edugate.heanet.ie/rr3/providers/sp_registration

Make a note of the entityID value listed at the beginning of the Adobe metadata, you will need this in step 3

Step 3. Shibobleth changes

Shibboleth needs to be adjusted to produce user attributes in the format Adobe expects (Adobe cannot be adjusted to produce the attributes produced for Edugate). The changes outlined below should not interfere with your Shibboleth configuration for other services. Note that Shibboleth's XML syntax has changed between versions so you may need to adjust this text to match the format used in your files.

  • Attribute-Resolver.xml: Replace 'myLDAP' with whatever DataConnector's you have for your user ID sources (DataConnectors are defined at the bottom of attribute-resolver.xml). In the example below, the Windows username or sAMAccountName is used to populate the user identifier that is sent to Adobe, if you chose email in step 2, you would change sAMAccountName to another attribute that has an email address of the user populated in its value (e.g. the mail attribute). You are also expected to supply an email address and the example below assumes this value exists in your directory in the 'mail' attribute
    <resolver:AttributeDefinition id="AdobePrincipalTemp" xsi:type="ad:Simple" sourceAttributeID="sAMAccoutName" dependencyOnly="true">
        <resolver:Dependency ref="myLDAP" />
    </resolver:AttributeDefinition>
<!--ADOBE.com RULES -->
   <!-- Adobe NameID attribute -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe-principal" sourceAttributeID="AdobePrincipalTemp">
        <resolver:Dependency ref="AdobePrincipalTemp" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
     </resolver:AttributeDefinition>
     <!-- Adobe attributes -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_firstname" sourceAttributeID="givenName">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="FirstName" />
     </resolver:AttributeDefinition>
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_lastname" sourceAttributeID="sn">
         <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="LastName" />
     </resolver:AttributeDefinition>
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="adobe_email" sourceAttributeID="email">
         <resolver:Dependency ref="email" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="Email" />
     </resolver:AttributeDefinition>
  • Relying-Party.xml: Enter the text below, chanigng the RelyingParty id to the value you noted in Step 2
    <rp:RelyingParty id="https://www.okta.com/saml2/service-provider/CHANGETHISWITHYOURADOBEVALUE"
                provider="https://idp.dit.ie/idp/shibboleth"
                defaultSigningCredentialRef="IdPCredential">
                <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
        </rp:RelyingParty>
  • Attribute-filter.xml: Enter the text below, chanigng the RelyingParty id to the value you noted in Step 2
     <afp:AttributeFilterPolicy id="adobe">
         <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://www.okta.com/saml2/service-provider/CHANGETHISWITHYOURADOBEVALUE" />
         <afp:AttributeRule attributeID="transientId">
             <afp:DenyValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe-principal">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_firstname">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_lastname">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
         <afp:AttributeRule attributeID="adobe_email">
             <afp:PermitValueRule xsi:type="basic:ANY" />
         </afp:AttributeRule>
     </afp:AttributeFilterPolicy>