When you are setting up your Adobe Admin Console, you need to decide which type of users you plan to create.
Adobe supports three identity or account types; they use an email address as the user name.
is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. And the accounts can't be deleted or taken over by the admin.
is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End-users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.
is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 identity provider.
For details on identity types, see Manage identity types.
To use Enterprise ID or Federated ID, set up your own authorization source by claiming a domain. For example, if your email address is firstname.lastname@example.org, example.com is your domain. A claimed domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the claimed domain.
For more details, see Claim a domain.
A domain can only be claimed by a single organization. So consider the following scenario:
A company, Geometrixx, has multiple departments, each of which has their own unique Admin Console.. Also, each department wants to use either Enterprise or Federated user IDs, all utilizing the geometrixx.com domain. In this case, the system administrator for each of these departments would want to claim this domain for identity use. The Admin Console prevents multiple departments from claiming the same domain. However, once claimed by a single department, other departments can request access to it through the domain claim process.
The first department to claim the domain (owner) will be responsible for approving any requests for access by other departments (trustees).
If you plan to use Enterprise or Federated ID on your Admin Console, you must claim the domain associated with your organization. If this domain is previously claimed by another organization, you will need to request access to the domain as a trustee.
Choose an identity type and click Submit.
If the domain has already been claimed by another organization, you are prompted with the following message:
If the domain has not been claimed, follow the procedure detailed in Claim a domain.
The type of domain (Enterprise or Federated) depends on how it was set up by the owning organization. This implies that if the domain is already claimed, you (trustee) cannot choose or change the type of domain setup.
If the domain request is pending, you can choose to send a reminder to the organization that owns or has previously claimed the domain.
Or you can choose to withdraw your request for the claimed domain.
If your request for the domain is accepted by the owning organization, you will receive an email notification. The status of you request on the Domain Configuration tab is also updated.
If trustee organizations no longer has a need to access the trusted domain, they may withdraw their trustee status at any time.
If you withdraw your access to an owning domain, any users that belong to the domain (meaning that they log in using the domain credentials) will be removed from your organization. Also, these users will lose access to any software granted to them by your organization.
This operation cannot be undone.
As a system administrator of an owning organization, you can choose to accept or reject the requests for access to the domains that you own.
When you get an email request for access to a claimed domain, you can either choose to accept or reject the request from within the email itself. You can also go to the Domain Access Requests tab to manage the claim request.
When you give a trustee organization access to a domain that you own, you give the trustee rights to add users to that domain.
A trustee organization can add users to a domain that you own, but that organization cannot remove users from the domain. As the system administrators of the owning domain, you will need to remove users created by trustee organizations. However, if the organization withdraws its trustee status, all the users of that organzation will be removed from the domain.
The reason that you provide will be shared with the requesting organization. However, your email, name, and organizational information will be withheld.
If you revoke the access of a trustee organization, any users that belong to the domain (meaning that they log in using the domain credentials) will be removed from your organization. Also, these users will lose access to any software granted to them by your organization.
This operation cannot be undone.
When an owning organization gives access to a trustee organization, the trustee can then add users to the owning organization.
This means that the users added by a trustee organization are managed primarily by that organization. The owning organization user list contains only users that are added by that organization.
However, as the owning organization, you can manage the users of all trustee organizations.
You might need to manage a domain user, if you need to:
- delete a user that has left the company (user should no longer be able to log in and receive software).
- troubleshoot user login issues for Federated ID users
- change information about the user, such as their first or last name.
To manage users of a trustee organization, do the following:
If you only want to revoke access to products and services, without deleting any associated data, do not delete the user but remove the user from any product configurations that confer entitlements.