OpenAthens LA support ended on 31 March 2020

Search

With a couple of tweaks, OpenAthens LA can be used to sign users into Adobe.

Prerequisites

  • Access to the Adobe enterprise dashboard
  • Some test users already set up in the Adobe dashboard as federated
  • Access to your OALA admin console
  • Depending on approach, you may need command line access to your runtime servers

Method

Configure Adobe enterprise dashboard

  1. Under the identity section, claim your domain. Follow their instructions (should be linked from the identity section). This can take a while as you need to add a token to your DNS record for automatic validation and then wait for manual verification.

  2. Once claimed you can

    1. Upload your IdP certificate. This is the x509 signing certificate from your metadata. Copy and paste it into a file as follows including the begin and end parts:

      -----BEGIN CERTIFICATE-----
      FAKE.jCCAs6gAwIBAgIJAIp1FSxSm9OlMA0GCSqGSIb3DQEBBQUAMFUxCzpdFAKE
      BAYTAkdCMSowKAYDVQQKEyFBY2NyaW5ndG9uIGFuZCBSb3NzZW5kYWxlIENvFAKE
      Z2UxGjAYBgNVBAMTEWlkcC5hY2Nyb3NzLmFjLnVrMB4XDTEzMDkxMTExMjM1FAKE
      DTIzMDkwOTExMjM1M1owVTELMAkGA1UEBhMCR0IxKjAoBgNVBAoTIUFjY3Jpbmd0
      b24gYW5kIFJvc3NlbmRhbGUgQ29sbGVnZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3Mu
      YWMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6Kw1idmiWCVV6
      nMtNO9/5obIs1df09j9OPhyEBLFH8r1JEKtkorM701Drm/g7ddWW4yV4n63zI0em
      RaWRwLmFjY3Jv3e/E51aLtQ/uwy8rVyo30FOFzA735GNLhEXu54w7RzfbZO7bGyQ
      ni/K1wlIWSN1qexki0nvuSafAwATmhRgQAyWAb4oAe6whuIZ5lIB5U4GTPrlgwFk
      KWpb5jyUoM5XaXM4l6EHZfZdOIwSfeV/BK9WQwJ2e8FTlOp/seluRnotroHmiT/r
      BVfX4H4wypXvpTWiPhOh8yHYetl&dssTtZubtialFsPnylB/5p1ALLqiXkCVp5+v
      CCxew/ddAgMBAAGjgbgwgbUwHQYDVR0ROBBEFIqv62qawJvLOtz0o1pzLUDrC7+S
      MIGFBgNVHSMEfjB8gBSKr+tq8CkbyzrOc9Kacy1A6wu/kqFZpFcwVTELMAkGA1UE
      BhMCR0IxKjAoBgNVBAoTIUFjY3JpbmdM0b2gYW5kIFJvc3NlbmRhbGUgQ29sbGVn
      ZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3MEuYWudWuCCQCKdRUsUpvTpTAMBgNVHRME
      BTADAQH/MA0GCSqGSIb3DQEBBQUAA4IDBAQunKm++p3Cimm4+bXiGN60FFliLGld
      kKM5MtAnzyi1QujUj0ZgQU87OxaP4G9NZ15yBr8QxjK/jMqjNL1BR1nN8Qk9jnXS
      7ZvdlJlfQCaBFyOPh/WQPwOnk3rsB8cYyviIilqyELdn6YOt+/SKXDtFE0p2RK80
      DRB/V76lE0TKDkEi8V+cyn3UATFf/YsLQuy2gD2bLN3G0ydHJv1BO5LnXRg7aAmj
      cuSR5WDxDBed9bC7OnlSCreRr267qw/LsFCqgqdtvFiqoVu9JT1FDs519iEmKcM9
      9S+YKaM+/E6mM4hA3qdkniBxIL29OWji1ps6/ZVEdrkJEf9eg86BGlre
      -----END CERTIFICATE------
    2. IDP Issuer = your entityID, e.g. https://idp.yourdomain.com/oala/metadata

    3. IDP login URL = your sso address e.g. https://idp.yourdomain.com/oala/sso

    4. IDP binding: select HTTP-REDIRECT

    5. User Login Setting: This guide will use email address, but choose what matches the users you have set up in the dashboard.

    6. Download metadata. Do so and save it for later (download doesn't work in Firefox at the time of writing)

Configure OpenAthens LA

Adobe require the following attributes be released:

  • Email
  • FirstName
  • LastName

You will also need to release the email address as a different attribute that can be selected as the NameID of type:'unspecified'.

Metadata

Their metadata is not published, only available as a download from the Adobe dashboard and is unique to you. This means you will need to either host it somewhere yourself (must be visible to both the admin console and the runtime server(s)), or manually add it to the runtime.

If you are hosting it somewhere:

  1. add it via the configurations tab

If you need to manually add it to the runtime:

  1. ssh to the runtime

  2. create a file with a .xml extension in the /usr/share/atacama-platform/metadata folder:

    nano /usr/share/atacama-platform/metadata/adobemetadata.xml
  3. paste in the metadata you downloaded from the Adobe dashboard

  4. Exit the editor saving changes

  5. Repeat for each IdP runtime

Attributes

Create four datastore attributes:

  • Email
  • FirstName
  • LastName
  • emailAddress

The first three must be exactly those names. The last can be any name, or be an existing attribute holding the end-user's email.

Release policy

Create a new release policy (Configurations > 'External' > Attribute release)

  • Call it something such as 'Adobe'

  • Apply policy [when] [service provider] [matches] and paste in the entityID that appears in the Adobe metadata. If you are hosting it, the entityID can autocomplete. If you have manually added the metadata to the runtime(s) you will need to copy and paste it from the metadata file. You could also use [contains] 'https://www.okta.com/'

  • Add all four of the attributes to the policy and tick their release boxes

  • Apply

These options will ensure that only this resource is sent the email as the NameID - other resources will use the default and not be affected.

Advanced option tab changes

Adobe need the email to be send as the NameID rather than the default targetedID value. This is why there are two email attributes. To set this go to the advanced options tab and set:

  • User identifier: emailAddress (or whatever your other email address attribute was, just not the one called 'Email')

  • User identifier format: leave as 'unspecified'. If you have data in this field, delete it and hit apply before you move focus to any other field.

  • Apply

Publish and test

  • Click the publish button.

  • Try access to Adobe with a user that is known to have matching details set up at the Adobe end.

  • Once it's all working you can start switching any existing users over to the federated login in the Adobe dashboard.

 

  • No labels