Page tree
Skip to end of metadata
Go to start of metadata

SURFconext cannot verify the configuration steps below as we are not a customer of this service provider. We have collected the information below from our connected institutions to the best of our knowledge. Sometimes procedures change; we depend on someone notifying us. Sorry if the below info does not work for you. If you have remarks or tips you want to share, please send them to

Since every institution gets their own instance of Adobe Creative Cloud with which a connection needs to be configured, institutions need to sign in with the account that comes with their Adobe license. SURF does not have that information, so institutions need to configure part of the connection. After the institution has taken some steps, SURF also needs to take some steps to finish setting up the connection.

This document describes how to do this and is based on the experience of AVANS. Replace links as shown by what you have configured in your Adobe Application. After following the steps below the users of your IdP should be able to connect to Adobe Creative Cloud.

After reading this page you will know about:

Configuration of Adobe

  • Navigate to the Adobe Admin console and logon to the service:
  • Under Settings - Identity - Domains add the domain names your users use in the email address, and confirm these via DNS changes as prompted during entry.

  • In Settings - Identity create a new directory by clicking the button "Create Directory".

  • The screen below appears. Enter a name, and choose "Federated ID". 
  • After approval by Adobe you can configure this directory. Go to Select Your Identity Provider and Choose 'Other SAML Providers':

  • The following screen will appear.

  • In the tab "Events" you will find logging when the link is active.

Configuration of SURFconext

By now, you should be finished with configuring the instance of Adobe Creative Cloud and it is ready to be used with SURFconext. Before you can use it to authenticate to the service using SURFconext, Adobe Creative Cloud needs to be configured in SURFconext. At this point there are three options for you to proceed:

  • If you are familiar with SURFconext you can make use of the Service Provider Dashboard and define the service using the created and downloaded metadata as shown above.  If you want us to create a new instance to your dashboard for this, send us an email at and mention who needs access at your institution. This is the preferred way of managing entities in SURFconext.
  • If you are new to the SP Dashboard or SURFconext and can't wait to get started with the SP dashboard, send us a mail at and we will help you get started.
  • If you are not familiar with SURFconext and do not intend to create instances in the SP Dashboard in the future, you can send us a mail at We will use the generated metadata to configure the entity in SURFconext for you.


The certificate as generated by Adobe Creative Cloud is currently incompatible with the SP Dashboard. Remove the generated certificate and paste this random but compatible certificate to continue publishing the service through the SP Dashboard. It is not used in SURFconext, but for now needed to publish you service. We will not use this during the logon process. This is only used when you decide to do a signed authentication with SURFconext, wich is not the case with Adobe.

Attribute Manipulation

Adobe does not use standard attribute names. As a result, SURFconext will have to make adjustments to make this work. Send a mail to and ask to enable attribute manipulation for the entity of the following attributes :

  • The NameIDFormat of the entity needs to be set to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
  • The e-mail address of the user needs to be mapped to the Subject, the NameID
  • urn:mace:dir:attribute-def:givenName (urn:oid: to be sent as FirstName
  • urn:mace:dir:attribute-def:sn (urn:oid: to be sent as LastName
  • urn:mace:dir:attribute-def:mail (urn:oid:0.9.2342.19200300.100.1.3)  to be sent as Email

The code of the attribute manipulation will be similar to what you see below.

Attribute Manipulation
# Required attributes 

$attr_gn       = 'urn:mace:dir:attribute-def:givenName';
$attr_sn       = 'urn:mace:dir:attribute-def:sn';
$attr_mail     = 'urn:mace:dir:attribute-def:mail';

# attributes to let through (ARP)
$requiredAttributes = array(

if (isset($attributes) and ($attributes !== FALSE)) {
    if (!empty($attributes[$attr_mail][0])) {
        $subjectId = $attributes[$attr_mail][0];
    if (!empty($attributes[$attr_gn])) {
        $attributes['FirstName'] = $attributes[$attr_gn];
    if (!empty($attributes[$attr_sn])) {
        $attributes['LastName'] = $attributes[$attr_sn];
    if (!empty($attributes[$attr_mail])) {
        $attributes['Email'] = $attributes[$attr_mail];

# Remove all other attributes
foreach ($attributes as $k => $v) {
  if (!in_array($k, $requiredAttributes)) {

How to log on to the service as an and user

When you have configured the service you can logon to the service through SURFconext as follows.

  • Navigate to ''
  • You will probably be redirected to the Dutch part of the Adobe site, so click 'Aanmelden' (Dutch for Logon) in the upper right of the screen.
  • Because you are using SURFconext to log on, continue by clicking 'Aanmelden met een Enterprise ID'.
  • Enter your email-adres or simply the domain of your institution (the part after '@' of your email adres). There is no need to fill in your password. You will be redirected as soon as you click on the password field.
  • Enter your credentials at your institution and you will be logged on to Adobe Connect through SURFconext

Set up the User Sync tool management of users

The User Sync tool from Adobe is a command-line utility that moves user and group information from your organization’s enterprise directory system (such as an Active Directory or other LDAP systems) to your organization’s directory in the Adobe Admin Console. Each time you run the User Sync tool, it looks for differences between the user and group information in the two systems and updates the Adobe directory to match the information in your directory. This is also referred to as 'Just In Time' management of users. This document provides step-by-step instructions to interface an Active Directory system with the Adobe Admin Console. If you're using a directory system other than Active Directory, the instructions in this documentation do not apply and need to be modified as required. See the supplied links on that page for more information.

  • No labels