User Guide Cancel

Education Deployment Setup Concepts

This page covers background information for user management and application deployment.


Single Sign-on

To configure Single Sign-on, your license type must be Enterprise Licenses.

The following are key components of an Adobe Single Sign-on Setup

Directory

A directory contains the authentication configuration for a specific domain group of domains. The admin console supports multiple directories.

Domains

A fully qualified domain, ownership is proven via a DNS token or logging in as a Microsoft or Google admin. Only one directory can own a specific domain.

Federated Directory

A directory connected to an identity provider using SAML or OIDC.

User Sync

Federated Directories enabled users to be synced via Google Workspace or Microsoft 365.

Microsoft Azure Sync allows users or groups, including dynamic groups, to be assigned to the enterprise application.
If syncing nested groups from Microsoft, you must include all the groups in the nest.

Google Workspace Sync doesn't support Groups; you can configure the sync to share Organizational Units (OU).

Roster Syncing is available for K-12 in the US.

The roster sync becomes your source of truth for automated user creation and management. If moving from Google or Microsoft sync to a Roster solution, please ensure all users are included in the sync scope of your roster tool.

Note:

Typically, only classroom staff and students are synced from the Roster; admins can manually add users outside the sync scope, and these users will require manual updating.

Alternative (Advanced) Sync Options

Organizations that are unable to use Azure, Google Workspace, Clever or Classlink can use the Adobe User Management API or the User Sync Tool to manage users from other sources.

Tip:

It is possible to set Google as the primary identity provider and sync from Microsoft Entra to the Adobe Directory, enabling Group sync functionality in situations where email addresses match on both systems.

Note:
  • A single Microsoft Entra tenant can sync to multiple Adobe Admin Console Directories.
  • Each directory must have a unique domain name
  • Each Adobe Directory sync will require a new Adobe Identity Management App instance.
  • Rename each instance to enable simple identification of the correct syncing application. Also, ensure that only users from the owned domain are synced to the correct Adobe Admin Directory.

For Google, when syncing users, we recommend syncing your Google OUs; this enables you to assign licenses or product profiles to a specific OU.

Only a single Google SAML App can be installed in a Google Workspace tenant, limiting the sync from Google Workspace to a single Adobe Directory.

Enterprise Directory

An enterprise directory requires the admin to have proven ownership of domains. Users are added to the Adobe Admin Console and will receive an invite link. They then must create a password.

To reset the password, the user must select the reset password option at any Adobe sign-in screen.

Tip:

We recommend using a Federated Directory with education users as this supports user sync and authentication from your existing Identity Provider.

Migrate users from Enterprise to Federated Directory guide.

Moving users and assets across admin consoles

Moving or merging users and their user-generated content from one Adobe Admin Console to another is not currently possible.

If your organization has an existing Adobe Admin Console, configure your deployment on this console.

How do I find the Free Licenses in my console?

K-12 (Primary and Secondary)

To access Adobe Express for free in your console, visit 

Adobe Admin Console > Products > Adobe Express for K-12 Get started

Higher Education 

If you purchased Shared Device Licenses for Higher Education deploy the unlimited Shared Device Access License to enable users logging in to a Shared Device Licence to use fonts, storage and Gen Ai in your console, visit 

Adobe Admin Console > Products > Shared Device Access License > Get started

Directory Structure Considerations

The structure of the organization’s productivity platform will influence the Adobe Admin console configuration.

For complex organizations Global Admin Console can support multiple console and license management. 

Productivity Configuration

Sync Source Azure

Sync Source Google

Single school
Single domain

A single Adobe Admin with a single Federated Directory

A single Adobe Admin with a single Federated Directory

Multiple schools
Single Domain

A single Adobe Admin with a single Federated Directory

A single Adobe Admin with a single Federated Directory

Multiple schools
Multiple domains
Multiple Azure/Google tenants

Single Adobe Admin console with multiple directories

Or

One Adobe Admin with a single Federated Directory per domain

Single Adobe Admin console with multiple directories

Or

One Adobe Admin with a single Federated Directory per domain

Multiple schools
Multiple domains
Single Google/Azure tenant

Single Adobe Admin console with a single directory

Or
Single Adobe Admin console with a directory for each domain

Or
One Adobe Admin console with one directory per domain

Single Adobe Admin console with a single directory

Creative Cloud All Apps Deployment Options

Shared device Licenses

These are managed packages linked to a Shared Device profile. When building deployment packages, create two separate packages for each application, e.g., Photoshop and Illustrator.

Tip:

For the Shared Device License, we recommend assigning Adobe Express for K-12 for K-12 users and Creative Cloud Shared Device Access license to Higher Education users, as this provides access to services including Firefly, Fonts, and Storage.

Deployment Packages are built in the Adobe Admin Console 

Adobe Admin Console > Packages

Adobe Packages Guide  

Named User

Home Access

Users with a Named User License can visit https://adobe.com/home and download Creative Cloud onto their own devices at home.

Self-Service

These packages install the Adobe Creative Cloud Desktop App with elevated privileges. Once the user signs in with their Adobe Account with an All Apps License, they can install and update the apps on their device without requiring an IT Admin to log in.

Managed

This type of package is limited to the applications selected by the admin when creating the package, this prevents the end-user from being able to install additional applications or upgrade the existing applications installed. It is recommended to create a separate package for each application e.g. Adobe Photoshop, Adobe Illustrator, Adobe InDesign as three separate packages.

Adobe Enterprise Device Authentication

For organization-owned devices, the admin can add a registry edit or plist file to force users to log in via the organization's primary identity provider removing social login options.

Enterprise Device Authentication Guide

Get help faster and easier

New user?

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!