User Guide Cancel

Education Deployment Setup With User Sync

In this configuration, Federated users are added, updated, and removed using a sync, and the directory can be synced from Microsoft Entra or Google Workspace.  

Video Demos 

These videos cover K-12 for Adobe Express. Syncing users and assigning licenses to groups is the same process for Higher Education just with different product names.

Education Setup – Syncing Users 

  1. Create a directory
  2. Configure a Federated Directory
  3. Claim Domain/s
  4. Configure Synchronization 
  5. Prepare product profiles
  6. Assing a Product profile to groups

This guide will cover syncing users from Microsoft Azure (Entra) and Google Workspace for Education.

Alternative syncing options are available, enabling users to sync from an on-premise directory using the User Sync Tool or directly via Adobe’s User Management API https://developer.adobe.com/UMAPI/

  1. Create a directory

    Adobe Admin console > Settings > Create Directory 

    Enter a name for the directory—this is an internal name and is not shared publicly—and select Federated Directory. 

    A screenshot of the Create Directory wizard with a text box for the name of the directory and two cards one for Federated ID and the other for Enterprise ID. The Federated ID card is selected.

  2. Configure a Federated Directory 

    Follow Azure/Entra, Google, or SAML steps to configure the federated directory with your identity provider.  

    On the confirmation screen, set auto account creation to Not enabled. In this setup, users are created and managed via sync.

    A screenshot of the create federated directory wizard displaying the options for Azure, Google and Other SAML

  3. Claim Domain/s

    Once the directory screen is completed, claim domains using a Microsoft Global Admin Account or a Google Super Admin; this will list all available Domain/s in your identity provider console. If your organization is not using Azure/Entra or Google, you can validate domain ownership by creating a DNS text record with your domain registrar. 

    Domain Claim Guide 

    A screenshot of an admin claiming domains in the adobe admin console

    Google Policy Enforced Preventing validating domains?

    If you are blocked during the domain claim process with Google due to an API add the following Client ID 880547366666-6dhr4mqsutv0a98arjksgflfh02kgp98.apps.googleusercontent.com with the following steps.

    1. Google Admin Console > Security > Access and Data Controls > API Controls > Manage Third-Party Apps
      https://admin.google.com/ac/owl/list?tab=configuredApps
      Add App > Search by name or Client ID
    2. Paste the above Client ID 
    3. Search
    4. Select the Adobe App
    5. Enable it for the entire org
    6. Select Trusted

    It can take up to 20 minutes for the Google API to update the permissions.

  4. Configure Synchronization 

    Select the Sync Tab
    From here you select Add sync

    Select sync from Microsoft or Google

    This will then open a configuration window for your selected sync provider.


    Microsoft Sync Setup

    If setting up a new directory, the Adobe Identity Management App is installed during the directory authentication stage. 

    To access the app visit

    Azure > Enterprise Applications > Adobe Identity Management

    Select Provisioning > Get Started

    Copy the values from the Adobe Admin Console sync configuration screen and paste them into the provisioning configuration screen in Azure.

    Test the connection

    You can select the users and groups to which you need to assign license.

    Tip > To test provisioning after selecting the users or groups, choose Provision on demand and identify a user to test the sync.

    After the sync, you can visit the Adobe Admin Console > Users > User Group to see the synced groups and users.

    After testing the sync, please enable it in Azure and confirm the setup on the Adobe Admin Console sync config screen.

    Tip:

    If syncing a large group of >100,000 users, sync a user on demand and then complete the license assignment stage 5.

    Once the license has been assigned to the group, enable the full sync to avoid being unable to assign the licence as the group is too large.


    Google Sync Setup

    If setting up a new directory, the Adobe (SAML) app is installed during the directory authentication stage. 

    To access the app, visit

    Google Admin Console  > AppsWeb and Mobile > Adobe web (SAML)

    Enable the App for everyone or specific OU's

    Select Configure Auto-Provisioning

    Copy the values from the Adobe Admin Console sync configuration screen and paste them into the provisioning configuration screen in Google.

    On the attribute mapping screen, enable the organizational Unit field to sync.

    urn:ietf:params:scim:schemas:extension:Adobe:2.0:User.organizationalUnit to map to Organization unit path

    After completing the wizard > Enable Sync

    Users can take up to 10 minutes to appear in the Adobe Admin Console. 

    A screen Edit autoprovisioning for Adobe selecting the Organizational unit.


    Tip:

    Adding the Organizational Unit Path mapping during the sync configuration will enable the assignment of licenses by group; otherwise, the users are just added to the org with no group membership. 

    Google Sync currently only supports OU’s and not Groups. 

    Google’s OU groups are hierarchical OUs, and they will contain all users in the sync scope. Your organizational Unit Structure in Google determines this. For Example,  

    • OU\ - Contain all users  
    • OU\Students – Contains all students from School A and School B 
    • OU\Students\School A  – Contains all students from School A 
    • OU\Student\School B  – Contains all students from School B
    • OU\Staff\ - Contains all students from School A and School B 
    • OU\Staff\School A  – Contains all Staff from School A 
    • OU\Staff\School B – Contains all staff from School B 

    If an existing Google Sync is configured, edit the auto-provision attribute mapping for the Organizational Unit to automatically trigger a full sync and sync the OU’s to the Adobe Admin Console.

  5. Configure Product Profiles

    For the products you plan to assign to users, select the product and the product profile. Every product will have a default configuration.  

    Adobe Admin Console > Products > Select a Product > Product Profile 

    A screen shot of a product profile with a highlight on the Details button

    The product profile provides the following controls

    • Control Services within the product - Firefly for K-12 
    • License Quota number of licenses that can be assigned from this profile
    • Email notification - Notify users if a license is assigned or removed
    Tip:

    If assigning licenese to multiple users you may choose to turn off email notifications to soft deploy the license to users.

    A screen showing the profile editor turning off email notifications.

  6. Assign a Product Profile to Groups

    Adobe Admin Console > Users > User Groups 

    Select a user group

    Select Assigned Product Profiles 

    A screen of assigning a product profile to a group.

    Here, you can select or change product profiles assigned to the group.

    When a user is synced and added to this group, they will receive the product profiles assigned to the group. If a user is removed from the sync group, for example, they have left the organization, their product assignment from this group will be removed, and the license will be re-assigned to another user.

    You can create multiple product profiles for each product with different settings. If you have more than one product profile for a product, you can select the specific profile when assigning it to the group.


Share Quick Login URL with users

For Adobe Express, share a specific URL with your users. This URL will trigger an SSO login to your primary IDP configured in the directory that owns the domain.

The URL format is 
https://new.express.adobe.com/a/domain.org 
Replace domain.org with a registered of the domains in the directory.

A computer screen shot of a colorful backgroundDescription automatically generated


Pin THE Adobe Express SSO Launch URL to the taskbar of a Chromebook

Google Workspace Admins Only

In the Google Admin Console > Apps & Extensions https://admin.google.com/ac/chrome/apps/user add the following as a URL:

https://new.express.adobe.com/chrome-tab/a/domain.org
Replace domain.org with a domain claimed in your Admin Console federated directory.

To pin to the taskbar, select Force install + Pin to ChromeOS taskbar.

  • If multiple domains are registered in your federated directory, use any one of the domains.
  • If you have multiple directories, you must create a link for each directory using any one of the domains owned by that directory.

User Sync Video Tutorials 

Adobe Express for K-12 User Sync with Microsoft Azure (Entra)

Adobe Express for K-12 User Sync with Google Workspace

Get help faster and easier

New user?

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!

ICYMI Promo

Updates and Releases!

In case you missed it follow this page to stay updated!

Updates and Releases!

In case you missed it follow this page to stay updated!