Sign in to Adobe Creative Cloud Enterprise with OpenAthens

This is an example using Adobe Creative Cloud Enterprise of how to set up a custom SAML resource so that you can log in using OpenAthens.

Prerequisites

• Access to the Adobe enterprise dashboard
• Some test users already set up in the Adobe dashboard as federated
• Access to your the OpenAthens administration area as the domain administrator

Method

Configure Adobe enterprise dashboard

1. Under the identity section, claim your domain. Follow their instructions (should be linked from the identity section). This can take a while as you need to add a token to your DNS record for automatic validation and then wait for manual verification.
   
   
2. Once claimed you can
   
   

   1. Upload your IdP certificate. This is the x509 signing certificate from your metadata. Copy and paste it into a file as follows including the begin and end parts:

      
      

      Example certificate

      CODE

      -----BEGIN CERTIFICATE-----
      FAKE.jCCAs6gAwIBAgIJAIp1FSxSm9OlMA0GCSqGSIb3DQEBBQUAMFUxCzpdFAKE
      BAYTAkdCMSowKAYDVQQKEyFBY2NyaW5ndG9uIGFuZCBSb3NzZW5kYWxlIENvFAKE
      Z2UxGjAYBgNVBAMTEWlkcC5hY2Nyb3NzLmFjLnVrMB4XDTEzMDkxMTExMjM1FAKE
      DTIzMDkwOTExMjM1M1owVTELMAkGA1UEBhMCR0IxKjAoBgNVBAoTIUFjY3Jpbmd0
      b24gYW5kIFJvc3NlbmRhbGUgQ29sbGVnZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3Mu
      YWMudWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6Kw1idmiWCVV6
      nMtNO9/5obIs1df09j9OPhyEBLFH8r1JEKtkorM701Drm/g7ddWW4yV4n63zI0em
      RaWRwLmFjY3Jv3e/E51aLtQ/uwy8rVyo30FOFzA735GNLhEXu54w7RzfbZO7bGyQ
      ni/K1wlIWSN1qexki0nvuSafAwATmhRgQAyWAb4oAe6whuIZ5lIB5U4GTPrlgwFk
      KWpb5jyUoM5XaXM4l6EHZfZdOIwSfeV/BK9WQwJ2e8FTlOp/seluRnotroHmiT/r
      BVfX4H4wypXvpTWiPhOh8yHYetl&dssTtZubtialFsPnylB/5p1ALLqiXkCVp5+v
      CCxew/ddAgMBAAGjgbgwgbUwHQYDVR0ROBBEFIqv62qawJvLOtz0o1pzLUDrC7+S
      MIGFBgNVHSMEfjB8gBSKr+tq8CkbyzrOc9Kacy1A6wu/kqFZpFcwVTELMAkGA1UE
      BhMCR0IxKjAoBgNVBAoTIUFjY3JpbmdM0b2gYW5kIFJvc3NlbmRhbGUgQ29sbGVn
      ZTEaMBgGA1UEAxMRaWRwLmFjY3Jvc3MEuYWudWuCCQCKdRUsUpvTpTAMBgNVHRME
      BTADAQH/MA0GCSqGSIb3DQEBBQUAA4IDBAQunKm++p3Cimm4+bXiGN60FFliLGld
      kKM5MtAnzyi1QujUj0ZgQU87OxaP4G9NZ15yBr8QxjK/jMqjNL1BR1nN8Qk9jnXS
      7ZvdlJlfQCaBFyOPh/WQPwOnk3rsB8cYyviIilqyELdn6YOt+/SKXDtFE0p2RK80
      DRB/V76lE0TKDkEi8V+cyn3UATFf/YsLQuy2gD2bLN3G0ydHJv1BO5LnXRg7aAmj
      cuSR5WDxDBed9bC7OnlSCreRr267qw/LsFCqgqdtvFiqoVu9JT1FDs519iEmKcM9
      9S+YKaM+/E6mM4hA3qdkniBxIL29OWji1ps6/ZVEdrkJEf9eg86BGlre
      -----END CERTIFICATE------

   2. IDP Issuer = your entityID, e.g. https://idp.example.com/openathens. View on the organisation summary.
      
      

   3. IDP login URL = your SAML 2 sso address e.g. https://login.openathens.net/saml/2/sso/Your_API_name
      
      

   4. IDP binding: select HTTP-REDIRECT
      
      

   5. User Login Setting: This guide uses email address, but choose what matches the users you have set up in the dashboard.
      
      

   6. Download metadata. Do so and save it for later (the download doesn't work in Firefox at the time of writing)

Configure OpenAthens

Add custom SAML resource

Like Google, Adobe are not members of a common federation so we need to add them as a custom SAML resource.

1. Go to Resources > Catalogue > Custom > Add > SAML
   
   
2. Upload the metadata file you downloaded from the Adobe dashboard
   
   
3. Optionally rename the new custom resource (click on the resource name, edit and save). 

Map attributes (if you have a local connection)

If you have a local connection and you are not already mapping email address, first name and last name to OpenAthens attributes you will need to set up additional mappings. This is done on the attributes tab of your connection, see: Attribute mapping . 

Release policy

The final step is to release those attributes to Adobe and this is controlled by the release policy.

1. Go to Preferences > Attribute release.
   
   
2. Add a new policy and search for the name of your custom SAML resource
   
   
3. Click on first name, last name and email address to add them to the policy.
   
   
4. Click advanced
    
   
   1. Leave the SAML NameID format as unspecified
      
      
   2. Set the SAML NamdID attribute as 'Email address'
      
      
   3. Add the following aliases
      
      1. forenames mapped to FirstName
      2. surname mapped to LastName
      3. emailAddress mapped to Email
         
         
5. Click Done and then Save changes.

Test

Go to Adobe and enter the email address of a user who is configured at the Adobe end to use a federated login. You should be transferred to your OpenAthens login. Once you have signed in there you should be transferred back to Adobe and logged in. 

Anything to watch out for?

If you are running in restrictive mode:

• The SAML resource MUST be included in at least one of the permission sets used by anyone who should gain access. If not, OpenAthens will block access at the authentication point.
• If you have sub-organisations you MUST ALSO allocate the custom resource to permission sets under those sub-organisations. The cascade option may be useful.

Whilst our service desk will always try to be helpful, they can only support the OpenAthens part of this.