This is an example using Adobe Creative Cloud Enterprise of how to set up a custom SAML resource so that you can log in using OpenAthens.
- Access to the Adobe enterprise dashboard
- Some test users already set up in the Adobe dashboard as federated
- Access to your the OpenAthens administration area as the domain administrator
Configure Adobe enterprise dashboard
- Under the identity section, claim your domain. Follow their instructions (should be linked from the identity section). This can take a while as you need to add a token to your DNS record for automatic validation and then wait for manual verification.
- Once claimed you can
Upload your IdP certificate. This is the x509 signing certificate from your metadata. Copy and paste it into a file as follows including the begin and end parts:Example certificate
-----BEGIN CERTIFICATE----- FAKE.jCCAs6gAwIBAgIJAIp1FSxSm9OlMA0GCSqGSIb3DQEBBQUAMFUxCzpdFAKE BAYTAkdCMSowKAYDVQQKEyFBY2NyaW5ndG9uIGFuZCBSb3NzZW5kYWxlIENvFAKE Z2UxGjAYBgNVBAMTEWlkcC5hY2Nyb3NzLmFjLnVrMB4XDTEzMDkxMTExMjM1FAKE DTIzMDkwOTExMjM1M1owVTELMAkGA1UEBhMCR0IxKjAoBgNVBAoTIUFjY3Jpbmd0 b24gYW5kIFJvc3NlbmRhbGUgQ29sbGVnZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3Mu YWMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6Kw1idmiWCVV6 nMtNO9/5obIs1df09j9OPhyEBLFH8r1JEKtkorM701Drm/g7ddWW4yV4n63zI0em RaWRwLmFjY3Jv3e/E51aLtQ/uwy8rVyo30FOFzA735GNLhEXu54w7RzfbZO7bGyQ ni/K1wlIWSN1qexki0nvuSafAwATmhRgQAyWAb4oAe6whuIZ5lIB5U4GTPrlgwFk KWpb5jyUoM5XaXM4l6EHZfZdOIwSfeV/BK9WQwJ2e8FTlOp/seluRnotroHmiT/r BVfX4H4wypXvpTWiPhOh8yHYetl&dssTtZubtialFsPnylB/5p1ALLqiXkCVp5+v CCxew/ddAgMBAAGjgbgwgbUwHQYDVR0ROBBEFIqv62qawJvLOtz0o1pzLUDrC7+S MIGFBgNVHSMEfjB8gBSKr+tq8CkbyzrOc9Kacy1A6wu/kqFZpFcwVTELMAkGA1UE BhMCR0IxKjAoBgNVBAoTIUFjY3JpbmdM0b2gYW5kIFJvc3NlbmRhbGUgQ29sbGVn ZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3MEuYWudWuCCQCKdRUsUpvTpTAMBgNVHRME BTADAQH/MA0GCSqGSIb3DQEBBQUAA4IDBAQunKm++p3Cimm4+bXiGN60FFliLGld kKM5MtAnzyi1QujUj0ZgQU87OxaP4G9NZ15yBr8QxjK/jMqjNL1BR1nN8Qk9jnXS 7ZvdlJlfQCaBFyOPh/WQPwOnk3rsB8cYyviIilqyELdn6YOt+/SKXDtFE0p2RK80 DRB/V76lE0TKDkEi8V+cyn3UATFf/YsLQuy2gD2bLN3G0ydHJv1BO5LnXRg7aAmj cuSR5WDxDBed9bC7OnlSCreRr267qw/LsFCqgqdtvFiqoVu9JT1FDs519iEmKcM9 9S+YKaM+/E6mM4hA3qdkniBxIL29OWji1ps6/ZVEdrkJEf9eg86BGlre -----END CERTIFICATE------CODE
IDP Issuer = your entityID, e.g. organisation summary.View on the
IDP login URL = your SAML 2 sso address e.g.
IDP binding: select HTTP-REDIRECT
User Login Setting: This guide uses email address, but choose what matches the users you have set up in the dashboard.
Download metadata. Do so and save it for later (the download doesn't work in Firefox at the time of writing)
Add custom SAML resource
Like Google, Adobe are not members of a common federation so we need to add them as a custom SAML resource.
- Go to Resources > Catalogue > Custom > Add > SAML
- Upload the metadata file you downloaded from the Adobe dashboard
- Optionally rename the new custom resource (click on the resource name, edit and save).
Map attributes (if you have a local connection)
If you have a local connection and you are not already mapping email address, first name and last name to OpenAthens attributes you will need to set up additional mappings. This is done on the attributes tab of your connection, see: Attribute mapping.
The final step is to release those attributes to Adobe and this is controlled by the release policy.
- Go to Preferences > Attribute release.
- Add a new policy and search for the name of your custom SAML resource
- Click on first name, last name and email address to add them to the policy.
- Click advanced
- Leave the SAML NameID format as unspecified
- Set the SAML NamdID attribute as 'Email address'
- Add the following aliases
- forenames mapped to FirstName
- surname mapped to LastName
- emailAddress mapped to Email
- Leave the SAML NameID format as unspecified
- Click Done and then Save changes.
Go to Adobe and enter the email address of a user who is configured at the Adobe end to use a federated login. You should be transferred to your OpenAthens login. Once you have signed in there you should be transferred back to Adobe and logged in.
Anything to watch out for?
If you are running in restrictive mode:
- The SAML resource MUST be included in at least one of the permission sets used by anyone who should gain access. If not, OpenAthens will block access at the authentication point.
- If you have sub-organisations you MUST ALSO allocate the custom resource to permission sets under those sub-organisations. The cascade option may be useful.
Whilst our service desk will always try to be helpful, they can only support the OpenAthens part of this.