Adobe-supported identity types

Adobe uses an underlying identity management system to authenticate and authorize users. If you're using named licensing or are planning to provide access to services, using identities is a requirement. Adobe supports three identity or account types; they use an email address as the user name.

Adobe ID is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. And the accounts can't be deleted or taken over by the admin.

The following are a few requirements and scenarios, where Adobe IDs are recommended:

  • If you want to enable users to create, own, and manage their identities.
  • If you want to allow users to purchase or sign up for other Adobe products and services.
  • If users are expected to use other Adobe services such as Digital Publishing Suite, which does not currently support Enterprise or Federated IDs.
  • If users already have Adobe IDs, and associated data such as files, fonts, or settings. 
  • In educational setups, where students can retain their Adobe ID after they graduate.
  • If you have contractors and freelancers who don't use your corporate email address.

Enterprise ID is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End-users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.

Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.

The following are a few requirements and scenarios where Enterprise IDs are recommended:

  • If you need to maintain strict control over apps and services available to a user.
  • If you need emergency access to files and data associated with an ID.
  • If you need the ability to completely block or delete a user account.

Federated ID is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 identity provider.

The following are a few requirements and scenarios where Federated IDs are recommended:

  • If you want to provision users based on your organization's enterprise directory.
  • If you want to manage authentication of users.
  • If you need to maintain strict control over apps and services available to a user.
  • If you want to allow users to use the same email address to sign up for an Adobe ID.

You can use Adobe IDs, Enterprise IDs, and Federated IDs in the same enterprise deployment. For example, use Adobe IDs for users who may use other Adobe product and services, such as Acrobat.com or Digital Publishing Suite. Use Enterprise or Federated IDs for users where you want to strictly manage their accounts.

Impact on Creative Cloud end users

Before you create Enterprise IDs or Federated IDs, consider the impact on existing users. It is possible that users have an Adobe ID with email addresses from your domain to access products and services from Adobe.

Any data, such as design libraries, files, fonts, app settings, Adobe Color themes, Behance portfolios are not transferred to the Enterprise ID or Federated ID account. These will remain available with the Adobe ID account, now accessible under the updated email address.

If you decide to create Enterprise or Federated IDs for existing Creative Cloud members (Adobe IDs), users may need to manually migrate data from their Adobe ID accounts.

  • Sync Settings: Users can sign in to an app with their Adobe ID, sync settings, sign out, and then sign in with the Enterprise or Federated ID. The latest settings on the desktop can then be synced to Creative Cloud.
  • Creative Cloud Assets: Users need to download files from the existing Adobe ID account, and then upload them to the Enterprise or Federated ID account. If end-users use the Creative Cloud desktop app to sync files, all files are already present on their computers. For more information, see Transfer assets.
    Note: Comments and versions associated with the files are not retained.
  • Typekit: When an enterprise has claimed its own domain to create Enterprise or Federated IDs, existing Typekit accounts which are linked to addresses in that domain might be affected. Typekit accounts can be restored by contacting support@typekit.com. Contact enterprise@typekit.com or your Adobe sales representative for more information.
  • Behance: Users can access their Behance profile using the new email address. However, they’ll need to update the email address in their Behance email preferences. There is no direct way to migrate the data from Behance.  As a work-around, users could do the following for Behance:
    1. Create a new account using their Enterprise or Federated ID
    2. Sign in to their existing account
    3. Co-own the projects in the existing account with their new account.
    4. Optionally, then log into their new account and remove the co-owner of their old account. This would migrate the content but not the comments and followers associated with the old account.
  • PhoneGap Build: Users can migrate associated data when they switch to Enterprise IDs.
  • Adobe Color: To migrate data from an Adobe ID to an Enterprise or Federated ID, users can send a request to kuler-team@adobe.com.
  • Lightroom: Data is synced again from the desktop to Creative Cloud using the Enterprise or Federated ID.
  • Story Plus: Users can access data using the updated email address. There is no migration path to associate existing data with the Enterprise or Federated ID.

If existing Creative Cloud users, were using services that are not included with Creative Cloud for enterprise, their memberships revert to free versions. If users discontinue the Creative Cloud membership associated with their Adobe ID, access is limited. For example, DPS users will be able to access their Folios, but won't be able to publish them. Similarly, Web hosting will expire after 30 days.

Claim a domain

User identities are verified against an authorization source. Adobe IDs use an authorization source managed by Adobe. To use Enterprise ID or Federated ID, set up your own authorization source by claiming a domain. For example, if your email address is john@example.com, example.com is your domain. A claimed domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the claimed domain. A claimed domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however claim multiple domains.

An organization must demonstrate their control over a domain to claim it. An organization can also claim multiple domains. However, a domain can be claimed only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be claimed at all.

To use Enterprise or Federated IDs, start by claiming a domain. If your organization controls multiple domains, you can claim all of them. You need to verify that you control the domain by adding a token to the DNS.

To initiate the domain claim procedure, do the following:

  1. Sign in to the Enterprise Dashboard.

  2. Navigate to Identity > Claimed domains.

  3. Click Claim domain.

  4. Enter a domain.

  5. Choose an identity type and click Submit.

    Claim Domain

    If the domain, has already been claimed by another organization, you will be prompted with the following message:

    To request access to this domain, discontinue with the remaining steps in this procedure and follow the procedures detailed in Request access to a claimed domain.

    If the domain has not been claimed by another organization, a DNS token is generated and displayed next to the domain. In this case, continue with the next step in this procedure.

  6. Click Yes to request access to this domain.For more details, see Request access to a claimed domain

  7. Add the token to the DNS.
    To verify that you own the domain, you must add a TXT record with the generated token. The exact instructions depend on your domain host, but follow these generic guidelines:

    a.       Log in to your domain account

    b.      Find the page for updating the DNS record. This page may be called DNS Management, Name Server Management, or Advanced Settings.

    c.       Find the TXT records for your domain.

    d.      Add a TXT record with value adobe-idp-site-verification=<token>.
    For example, If your token is ”asdfadgalfjsadr3232324sdfesf” then the TXT record would be adobe-idp-site-verification=asdfadgalfjsadr3232324sdfesf.

    e.       Save your changes.
    Complete this step within 14 days of receiving the token. You need to add information to your DNS servers to complete this step. Let your network administrators know in advance so that this step can be completed within the specified time. You'll receive an email from Adobe once the domain has been successfully claimed, and is ready for activation

  8. Once the DNS token is active, click Attempt Validation.

    Attempt Validation
  9. If you're claiming a domain to setup Federated IDs, see Configure Single Sign-On for detailed instructions.

  10. Activate the domain to complete the process.

Note:

Activating the domain cannot be undone. You can withdraw the request before activation, but not after you've activated it.

Switch user identity

As a System Administrator, you can change the identity type for the users in your organization. For example, if you created users on the Enterprise Dashboard using Adobe IDs, you can change these to Enterprise IDs or Federated IDs. For details on Enterprise IDs or Federated IDs, see the Adobe-supported identity types section, in this document.

When you create a new identity type for your organization, you have the ability to create new login information for all users in the Enterprise Dashboard. The end user will continue to have access to their personally-owned Adobe ID, but will access the organization’s Adobe apps, services, and solutions through the identity type assigned to them.

This feature allows you to change a user identity type from any one of the three supported types to any other. Also, this is not an all or nothing procedure. You can change the types only for selected users. And for a set of users, you can switch the types around. For example, in a set of users, you can switch some of the users from Adobe IDs to Enterprise IDs and some from Enterprise IDs to Adobe IDs.

  1. In the Users tab, click  and in the drop-down list, choose Bulk edit identity type.

    The Bulk edit identity type dialog is displayed.

    You can download all users or you can filter your download by domain or product.

  2. To download the user data, click Download Users.

    A .csv file downloaded to your computer contains the following data:

    • Identity type - Adobe ID, Enterprise ID, Federated ID
    • User name
    • Domain
    • New identity type - Adobe ID, Enterprise ID, Federated ID
    • New email
    • New username
    • New country code
  3. Open the .csv file in Excel and make changes to the identity types, as required.

    Note:

    Ensure that you specify the correct country code for the users. This code must match the country in which their assets are located.

    Also, this code cannot later be changed.

    Note:

    If you are switching an Adobe ID user type to an Enterprise ID or Federated ID type, you will need to ensure that the Adobe ID email matches the email ID for user in the Enterprise.

    Adobe ID email Enterprise ID or Federated ID email User identity switch
    janedoe@xyz.com janedoe@xyz.dom Success
    johndoe@adobe.com johndoe.@xyz.com Fail
  4. Click  and in the drop-down list, choose Bulk edit identity type.

    The Bulk edit identity type dialog is displayed again.

  5. To upload the updated .csv file, click Upload and select the file in the Browse dialog.

After the bulk operation is complete, you will receive an email. You can also view a detailed report of the operation, on the Users >Bulk operations Results page.

Also, the users whose identity has changed, will receive a notification. Those users will need to use the new identity when working with the Adobe products they have been provisioned.

This process will also migrate the permissions and provisioned products for all migrated users.

Important: If your users were previously using Adobe IDs and had assets linked to their Adobe ID account, these users will need to migrate these assets as described in Migrate assets using Adobe Creative Cloud.

User emails

After the bulk operation is complete, your users will receive the following emails indicating that they will need to use their new credentials:

Federated IDs

Enterprise IDs

Password requirements

Adobe Enterprise Dashboard supports several password protection levels and policies to ensure safety and security. You can specify to use a password protection level to apply to all users across your organization. Adobe supports six levels of security. Password policies apply to Adobe ID and Enterprise ID account types.

All accounts include a lockout mechanism. If the system detects a quick succession of multiple failed login attempts, the user account is temporarily unavailable to prevent brute force attacks.

To specify a password policy, do the following:

  1. In the Enterprise Dashboard, choose Identity > Password Requirements.

  2. Click a password level to select it, and then click Save.

    Click a password level to select it, Click Save

Manage encryption

For more information, see Manage encryption.

Event logs

Event logs give you more information about errors that may happen while setting up your Federated ID. You can view details on any active domain configured as Federated ID by viewing the event logs in the Enterprise Dashboard.

For details, see View Federated ID event logs.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy