Adobe ID is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. And the accounts can't be deleted or taken over by the admin.
The following are a few requirements and scenarios, where Adobe IDs are recommended:
- If you want to enable users to create, own, and manage their identities.
- If you want to allow users to purchase or sign up for other Adobe products and services.
- If users are expected to use other Adobe services such as Digital Publishing Suite, which does not currently support Enterprise or Federated IDs.
- If users already have Adobe IDs, and associated data such as files, fonts, or settings.
- In educational setups, where students can retain their Adobe ID after they graduate.
- If you have contractors and freelancers who don't use your corporate email address.
Enterprise ID is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End-users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.
Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.
The following are a few requirements and scenarios where Enterprise IDs are recommended:
- If you need to maintain strict control over apps and services available to a user.
- If you need emergency access to files and data associated with an ID.
- If you need the ability to completely block or delete a user account.
Federated ID is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 identity provider.
The following are a few requirements and scenarios where Federated IDs are recommended:
- If you want to provision users based on your organization's enterprise directory.
- If you want to manage authentication of users.
- If you need to maintain strict control over apps and services available to a user.
- If you want to allow users to use the same email address to sign up for an Adobe ID.
You can use Adobe IDs, Enterprise IDs, and Federated IDs in the same enterprise deployment. For example, use Adobe IDs for users who may use other Adobe product and services, such as Acrobat.com or Digital Publishing Suite. Use Enterprise or Federated IDs for users where you want to strictly manage their accounts.
Impact on Creative Cloud end users
Before you create Enterprise IDs or Federated IDs, consider the impact on existing users. It is possible that users have an Adobe ID with email addresses from your domain to access products and services from Adobe.
Any data, such as design libraries, files, fonts, app settings, Adobe Color themes, Behance portfolios are not transferred to the Enterprise ID or Federated ID account. These will remain available with the Adobe ID account, now accessible under the updated email address.
If you decide to create Enterprise or Federated IDs for existing Creative Cloud members (Adobe IDs), users may need to manually migrate data from their Adobe ID accounts.
- Sync Settings: Users can sign in to an app with their Adobe ID, sync settings, sign out, and then sign in with the Enterprise or Federated ID. The latest settings on the desktop can then be synced to Creative Cloud.
- Creative Cloud Assets: Users need to download files from the existing Adobe ID account, and then upload them to the Enterprise or Federated ID account. If end-users use the Creative Cloud desktop app to sync files, all files are already present on their computers. For more information, see Transfer assets.
Note: Comments and versions associated with the files are not retained.
- Typekit: When an enterprise has claimed its own domain to create Enterprise or Federated IDs, existing Typekit accounts which are linked to addresses in that domain might be affected. Typekit accounts can be restored by contacting firstname.lastname@example.org. Contact email@example.com or your Adobe sales representative for more information.
- Behance: Users can access their Behance profile using the new email address. However, they’ll need to update the email address in their Behance email preferences. There is no direct way to migrate the data from Behance. As a work-around, users could do the following for Behance:
- Create a new account using their Enterprise or Federated ID
- Sign in to their existing account
- Co-own the projects in the existing account with their new account.
- Optionally, then log into their new account and remove the co-owner of their old account. This would migrate the content but not the comments and followers associated with the old account.
- PhoneGap Build: Users can migrate associated data when they switch to Enterprise IDs.
- Adobe Color: To migrate data from an Adobe ID to an Enterprise or Federated ID, users can send a request to firstname.lastname@example.org.
- Lightroom: Data is synced again from the desktop to Creative Cloud using the Enterprise or Federated ID.
- Story Plus: Users can access data using the updated email address. There is no migration path to associate existing data with the Enterprise or Federated ID.
If existing Creative Cloud users, were using services that are not included with Creative Cloud for enterprise, their memberships revert to free versions. If users discontinue the Creative Cloud membership associated with their Adobe ID, access is limited. For example, DPS users will be able to access their Folios, but won't be able to publish them. Similarly, Web hosting will expire after 30 days.
User identities are verified against an authorization source. Adobe IDs use an authorization source managed by Adobe. To use Enterprise ID or Federated ID, set up your own authorization source by claiming a domain. For example, if your email address is email@example.com, example.com is your domain. A claimed domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the claimed domain. A claimed domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however claim multiple domains.
An organization must demonstrate their control over a domain to claim it. An organization can also claim multiple domains. However, a domain can be claimed only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be claimed at all.
To use Enterprise or Federated IDs, start by claiming a domain. If your organization controls multiple domains, you can claim all of them. You need to verify that you control the domain by adding a token to the DNS.
If the domain, has already been claimed by another organization, you will be prompted with the following message:
To request access to this domain, discontinue with the remaining steps in this procedure and follow the procedures detailed in Request access to a claimed domain.
If the domain has not been claimed by another organization, a DNS token is generated and displayed next to the domain. In this case, continue with the next step in this procedure.
Add the token to the DNS.
To verify that you own the domain, you must add a TXT record with the generated token. The exact instructions depend on your domain host, but follow these generic guidelines:
a. Log in to your domain account
b. Find the page for updating the DNS record. This page may be called DNS Management, Name Server Management, or Advanced Settings.
c. Find the TXT records for your domain.
d. Add a TXT record with value adobe-idp-site-verification=<token>.
For example, If your token is ”asdfadgalfjsadr3232324sdfesf” then the TXT record would be adobe-idp-site-verification=asdfadgalfjsadr3232324sdfesf.
e. Save your changes.
Complete this step within 14 days of receiving the token. You need to add information to your DNS servers to complete this step. Let your network administrators know in advance so that this step can be completed within the specified time. You'll receive an email from Adobe once the domain has been successfully claimed, and is ready for activation
Activating the domain cannot be undone. You can withdraw the request before activation, but not after you've activated it.
As a System Administrator, you can change the identity type for the users in your organization. For example, if you created users on the Admin Console using Adobe IDs, you can change these to Enterprise IDs or Federated IDs. For details on Enterprise IDs or Federated IDs, see the Adobe-supported identity types section, in this document.
When you create a new identity type for your organization, you have the ability to create new login information for all users in the Admin Console. The end user will continue to have access to their personally-owned Adobe ID, but will access the organization’s Adobe apps, services, and solutions through the identity type assigned to them.
This feature allows you to change a user identity type from any one of the three supported types to any other. Also, this is not an all or nothing procedure. You can change the types only for selected users. And for a set of users, you can switch the types around. For example, in a set of users, you can switch some of the users from Adobe IDs to Enterprise IDs and some from Enterprise IDs to Adobe IDs.
Ensure that you specify the correct country code for the users. This code must match the country in which their assets are located.
Also, this code cannot later be changed.
If you are switching an Adobe ID user type to an Enterprise ID or Federated ID type, you will need to ensure that the Adobe ID email matches the email ID for user in the Enterprise.
Also, the users whose identity has changed, will receive a notification. Those users will need to use the new identity when working with the Adobe products they have been provisioned.
This process will also migrate the permissions and provisioned products for all migrated users.
Important: If your users were previously using Adobe IDs and had assets linked to their Adobe ID account, these users will need to migrate these assets as described in Migrate assets using Adobe Creative Cloud.
After the bulk operation is complete, your users will receive the following emails indicating that they will need to use their new credentials:
Adobe Admin Console supports several password protection levels and policies to ensure safety and security. You can specify to use a password protection level to apply to all users across your organization. Adobe supports six levels of security. Password policies apply to Adobe ID and Enterprise ID account types.
All accounts include a lockout mechanism. If the system detects a quick succession of multiple failed login attempts, the user account is temporarily unavailable to prevent brute force attacks.
To specify a password policy, do the following:
For more information, see Manage encryption.
For details, see View Federated ID event logs.