Go to Adobe Admin Console Identity settings section.
Last updated on
Jan 19, 2026
Applies to enterprise.
Identity provider-initiated login enables users to access Adobe apps directly from your identity provider (IdP), giving them a faster and error-free sign-in experience.
Go to Admin Console Identity settings > SAML RelayState to customize where users land after signing via IdP-initiated login.
Make sure you've the following before you set up IdP-initiated login:
- Adobe Admin Console system admin credentials
- Identity provider admin credentials
You can configure IdP-initiated login for any of the following Adobe web apps:
- Adobe Home
- Experience Cloud Home
- Adobe Express
- Adobe Workfront
- Adobe Experience Manager
- Faster entry into Adobe apps directly from IdP
- Customizable user experience via optional RelayState configuration
- Better alignment between Adobe Admin Console and IdP workflows
- Centralized authentication for admins
If you are getting started with the Adobe Admin Console, you must set up a directory via Google federation or any other SAML-based IdP. Refer to Common questions for help regarding setting up your SAML-IdP portal.
Your Admin Console directory with SAML federation setup automatically supports IdP-initiated login. All users in this directory can use the Adobe app on IdP to launch Adobe Home by default.
You can customize which Adobe web app you want your users to launch by following the steps:
-
-
Go to the SAML RelayState tab and select Copy URL next to the app where you want your users to land when using IdP-initiated login.
-
Go to your IdP portal and paste the copied Adobe app link to the appropriate field. Different identity providers use different names for the app link field. Refer to some examples below:
Identity provider Entry field for copied app link Okta Default Relay State Microsoft Azure AD Relay State Google Start URL Ping Federate Relay State OneLogin Relay State Note- If you leave the RelayState value empty in your IdP portal, Adobe Home becomes the default destination when your users sign in via IdP-initiated login.
- If you're configuring IdP-initiated Login for Microsoft Azure, then make sure to leave the Sign on URL field empty in Azure Portal. Any value entered in the Sign on URL field blocks IdP-initiated login and only allows SP-initiated login.
Once you've completed the setup, users can access the Adobe web app from their identity provider.
For example: Adobe app in Google App Launcher takes users to Adobe Express web if the RelayState value is Adobe Express.
Yes. IdP-initiated login only supports authentication to Adobe's web applications.
Identity providers have distinct fields where you have to enter the app link copied from Adobe Admin Console. Refer to your IdP's technical documentation to learn about the IdP setup. Some widely used IdP documentations are listed below:
- Google Workspace Admin help: Set up your own custom SAML app
- Okta Support Center: How to Redirect Users to Specific Page During SAML SSO
- Microsoft AD FS: Set up a SAML 2.0 provider with AD FS
- Microsoft Entra: Enable SAML single sign-on for an enterprise application
Some IdPs allow multiple applications to use the same SAML 2.0 configuration. If your IdP supports this model, you can configure multiple RelayState destinations without needing additional SAML setups.
If your IdP requires a separate SAML configuration for each RelayState or SAML application, then you can only configure a single SAML application on the IdP and choose only one available web app URLs as the RelayState.
IdP-initiated login is only available for SAML-based identity providers. You won't see the SAML RelayState setting if you have set up your directory using an OIDC-based identity provider. For example, Azure AD OIDC setup.
No. Only SAML-based setups are supported.
Ensure the app link in the IdP exactly matches the link copied from the Adobe Admin Console. Any change to the link may cause an error.
If users continue to face a sign-in error, check and confirm that the user is attempting to sign in from the IdP portal or application tile. Sign-in attempts initiated from other entry points, such as email links, bookmarks, or direct URLs, are not considered IdP-initiated login.
Join the conversation
To collaborate, ask questions, and chat with other administrators, visit our Enterprise and Teams Community.
