Adobe Creative Cloud

Since every institution gets their own instance of Adobe Creative Cloud with which a connection needs to be configured, institutions need to sign in with the account that comes with their Adobe license. SURF does not have that information, so institutions need to configure part of the connection. After the institution has taken some steps, SURF also needs to take some steps to finish setting up the connection.

This document describes how to do this and is based on the experience of AVANS. Replace links as shown by what you have configured in your Adobe Application. After following the steps below the users of your IdP should be able to connect to Adobe Creative Cloud.

Configuration of Adobe

• Navigate to the Adobe Admin console and logon to the service: https://adminconsole.adobe.com/
• Under Settings - Identity - Domains add the domain names your users use in the email address, and confirm these via DNS changes as prompted during entry.

• In Settings - Identity create a new directory by clicking the button "Create Directory".

• The screen below appears. Enter a name, and choose "Federated ID". 
  

• After approval by Adobe you can configure this directory. You will then see a "Configure" button next to the directory:

• Click "Configure". The following screen will appear.

• Here you will enter the SURFconext metadata location, the Single Sign-on location and the assertion signing certificate of the Test or Production of SURFconext. Refer to this site for the up-to-date information about this. 
  1. In case you first want to test the connection, you can use the SURFconext Test Environment. To connect to the SURFconext Test Environment use the following data:
     
     1. IdP certificate is the Assertion signing certificate as found on https://metadata.test.surfconext.nl/ (engine.test.surfconext.nl 20190208 certificate)
     2. IdP binding: choose "HTTP - Redirect"
     3. User login setting: choose "Email"
     4. IdP issuer: https://engine.test.surfconext.nl/authentication/idp/metadata
     5. IdP login url: https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:20190208
  2. In case you want to configure the connection for your production IdP, connect to the SURFconext Production Environment using the following data:
     
     1. IdP certificate is the Assertion signing certificate as found on https://metadata.surfconext.nl/ (engine.surfconext.nl 20181213 certificate)
     2. IdP binding: choose "HTTP - Redirect"
     3. User login setting: choose "Email"
     4. IdP issuer: https://engine.surfconext.nl/authentication/idp/metadata
     5. IdP login url: https://engine.surfconext.nl/authentication/idp/single-sign-on/key:20181213
• Some work on SURFconext needs to be done as well. You will see a 'Download Metadata' button. You will need this downloaded metadata later on, when you define the service in SURFconext. See the paragraph below for more on that.
  

• Now that you have configured the Directory as mentioned above you can link this directory to the previously created domains. Navigate to the 'Domains' screen as shown below:

• In the tab "Events" you will find logging when the link is active.

Configuration SURFconext

By now, you should be finished with configuring the instance of Adobe Creative Cloud and it is ready to be used with SURFconext. Before you can use it to authenticate to the service using SURFconext, Adobe Creative Cloud needs to be configured in SURFconext. At this point there are three options for you to proceed:

• If you are familiar with SURFconext you can make use of the Service Provider Dashboard and define the service using the created and downloaded metadata as shown above.  If you want us to create a new instance to your dashboard for this, send us an email at support@surfconext.nl and mention who needs access at your institution. This is the preferred way of managing entities in SURFconext.
• If you are new to the SP Dashboard or SURFconext and can't wait to get started with the SP dashboard, send us a mail at support@surfconext.nl and we will help you get started.
• If you are not familiar with SURFconext and do not intend to create instances in the SP Dashboard in the future, you can send us a mail at support@surfconext.nl. We will use the generated metadata to configure the entity in SURFconext for you.
  
  

Attribute Manipulation

Adobe does not use standard attribute names. As a result, SURFconext will have to make adjustments to make this work. Send a mail to support@surfconext.nl and ask to enable attribute manipulation for the entity of the following attributes :

• The NameIDFormat of the entity needs to be set to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
• The e-mail address of the user needs to be mapped to the Subject, the NameID
• urn:mace:dir:attribute-def:givenName (urn:oid:2.5.4.42) to be sent as FirstName
• urn:mace:dir:attribute-def:sn (urn:oid:2.5.4.4) to be sent as LastName
• urn:mace:dir:attribute-def:mail (urn:oid:0.9.2342.19200300.100.1.3)  to be sent as Email

The code of the attribute manipulation will be similar to what you see below.

# Required attributes 

$attr_gn       = 'urn:mace:dir:attribute-def:givenName';
$attr_sn       = 'urn:mace:dir:attribute-def:sn';
$attr_mail     = 'urn:mace:dir:attribute-def:mail';

# attributes to let through (ARP)
$requiredAttributes = array(
  'FirstName',
  'LastName',
  'Email'
);

if (isset($attributes) and ($attributes !== FALSE)) {
    if (!empty($attributes[$attr_mail][0])) {
        $subjectId = $attributes[$attr_mail][0];
    }
    if (!empty($attributes[$attr_gn])) {
        $attributes['FirstName'] = $attributes[$attr_gn];
    }
    if (!empty($attributes[$attr_sn])) {
        $attributes['LastName'] = $attributes[$attr_sn];
    }
    if (!empty($attributes[$attr_mail])) {
        $attributes['Email'] = $attributes[$attr_mail];
    }
}

# Remove all other attributes
foreach ($attributes as $k => $v) {
  if (!in_array($k, $requiredAttributes)) {
    unset($attributes[$k]);
  }
}