Warning |
---|
SURFconext cannot verify the configuration steps below as we are not a customer of this service provider. We have collected the information below from our connected institutions to the best of our knowledge. Sometimes procedures change; we depend on someone notifying us. Sorry if the below info does not work for you. If you have remarks or tips you want to share, please send them to support@surfconext.nl. |
Since every institution gets their own instance of Adobe Creative Cloud with which a connection needs to be configured, institutions need to sign in with the account that comes with their Adobe license. SURF does not have that information, so institutions need to configure part of the connection. After the institution has taken some steps, SURF also needs to take some steps to finish setting up the connection.
This document describes how to do this and is based on the experience of AVANS. Replace links as shown by what you have configured in your Adobe Application. After following the steps below the users of your IdP should be able to connect to Adobe Creative Cloud.
...
...
SURFconext cannot verify the configuration steps below as we are not a customer of LinkedIn Learning. We have collected the information below to the best of our knowledge. If you have remarks or tips you want to share, please send them to support@surfconext.nl
After reading this page you will know about:
...
- The screen below appears. Enter a name, and choose "Federated ID".
- After approval by Adobe you can configure this directory. You will then see a "Configure" button next to the directory:
- Go to Select Your Identity Provider and Choose 'Other SAML Providers':
- Click "Configure". The following screen will appear.
- On this page you can download the metadata of the Adobe Creative Cloud for use with our SURFconext SP Dashboard and you can upload the SURFconext metadata in the Adobe Admin Console.Click the button 'Download Adobe metadata file' and save this for future use, see the steps below.
- Decide if you want to connect to our test or our production environment. You must upload the SURFconext IdP metadata file to Adobe to complete the SAML setup as shown in the screenshot aboveHere you will enter the SURFconext metadata location, the Single Sign-on location and the assertion signing certificate of the Test or Production of SURFconext. Refer to this site for the up-to-date information about this. In case you first want to test the connection, you can use the SURFconext Test Environment. To connect to the SURFconext Test Environment use the following metadata and save this as an XML:
- https://metadata.test.surfconext.nl/idp-metadata.xml. If asked, the following applies
data- :
- IdP certificate is the Assertion signing certificate as found on https://metadata.test.surfconext.nl/ (engine.test.surfconext.nl
20190208 - :
- 20230403 certificate)
- IdP binding: choose "HTTP - Redirect"
- User login setting: choose "Email"
- IdP issuer: https://engine.test.surfconext.nl/authentication/idp/metadata
- IdP login url: https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:
20190208- In case If you want to configure the connection for your production IdP, connect to the SURFconext Production Environment using the following data:
- https://metadata.surfconext.nl/idp-metadata.xml
- IdP certificate is the Assertion signing certificate as found on https://metadata.surfconext.nl/ (engine.surfconext.nl
- 20230503 certificate)
- IdP binding: choose "HTTP - Redirect"
- User login setting: choose "Email"
- IdP issuer: https://engine.surfconext.nl/authentication/idp/metadata
- IdP login url: https://engine.surfconext.nl/authentication/idp/single-sign-on/key:
- https://metadata.surfconext.nl/idp-metadata.xml
- Some work on SURFconext needs to be done as well. You will see a 'Download Metadata' button. You will need this downloaded metadata later on, when you define the service in SURFconext. See the paragraph below for more on that.
Now that you have configured the Directory as mentioned above you can link this directory to the previously created domains. Navigate to the 'Domains' screen as shown below:
...
Warning | ||
---|---|---|
| ||
The certificate as generated by Adobe Creative Cloud is currently incompatible with the SP Dashboard. Remove the generated certificate and paste this random but compatible certificate to continue . You will not need thispublishing the service through the SP Dashboard. It is not used in SURFconext, but for now needed to publish you service. We will not use this during the logon process. This is only used when you decide to do a signed authentication with SURFconext, wich is not the case with Adobe. |
Attribute Manipulation
Adobe does not use standard attribute names. As a result, SURFconext will have to make adjustments to make this work. Send a mail to support@surfconext.nl and ask to enable attribute manipulation for the entity of the following attributes :
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Required attributes $attr_gn = 'urn:mace:dir:attribute-def:givenName'; $attr_sn = 'urn:mace:dir:attribute-def:sn'; $attr_mail = 'urn:mace:dir:attribute-def:mail'; # attributes to let through (ARP) $requiredAttributes = array( 'FirstName', 'LastName', 'Email' ); if (isset($attributes) and ($attributes !== FALSE)) { if (!empty($attributes[$attr_mail][0])) { $subjectId = $attributes[$attr_mail][0]; } if (!empty($attributes[$attr_gn])) { $attributes['FirstName'Email'] = $attributes[$attr_gnmail]; } if (!empty($attributes[$attr_sngn])) { $attributes['LastNameFirstName'] = $attributes[$attr_sngn]; } if (!empty($attributes[$attr_mailsn])) { $attributes['EmailLastName'] = $attributes[$attr_mailsn]; } } # Remove all other attributes foreach ($attributes as $k => $v) { if (!in_array($k, $requiredAttributes)) { unset($attributes[$k]); } } |
...
- Navigate to 'https://www.adobe.com/nl/'
- You will probably be redirected to the Dutch part of the Adobe site, so click 'Aanmelden' (Dutch for Logon) in the upper right of the screen.
- Beceasue Because you are using SURFconext to log on, continue by clicking 'Aanmelden met een Enterprise ID'.
- Enter your email-adres or simply the domain of your institution (the part after '@' of your email adres). There is no need to fill in your password. You will be redirected as soon as you click on the password field.
- Enter your credentials at your institution and you will be logged on to Adobe Connect through SURFconext
Active sessions
Adobe Creative Cloud allows two active sessions. If you have activated your individual Creative Cloud membership on two computers already, you must first deactivate it on one of the two systems to get going on a third device.
Set up the User Sync tool
...
management of users
The User Sync tool from Adobe is a command-line utility that moves user and group information from your organization’s enterprise directory system (such as an Active Directory or other LDAP systems) to your organization’s directory in the Adobe Admin Console. Each time you run the User Sync tool, it looks for differences between the user and group information in the two systems and updates the Adobe directory to match the information in your directory. This is also referred to as 'Just In Time' management of users. This document provides step-by-step instructions to interface an Active Directory system with the Adobe Admin Console. If you're using a directory system other than Active Directory, the instructions in this documentation do not apply and need to be modified as required. See the supplied links on that page for more information.
...