Adobe-supported domain identity types

When you are setting up your Adobe Admin Console, you need to decide which type of users you plan to create.

Adobe supports three identity or account types; they use an email address as the user name.

Adobe ID

is created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase more products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. And the admin can't delete or take over the accounts.

Enterprise ID

is created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End users cannot sign up and create an Enterprise ID, nor can they sign up for more products and services from Adobe using an Enterprise ID.

Federated ID

is created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 identity provider.

For details on identity types, see Manage identity types.

To use Enterprise ID or Federated ID, set up your own authorization source by claiming a domain. For example, if your email address is john@example.com, example.com is your domain. A claimed domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the claimed domain.

For more details, see Claim a domain.

Request access to a claimed domain

A domain can only be claimed by a single organization. So consider the following scenario:

A company, Geometrixx, has multiple departments, each of which has their own unique Admin Console. Also, each department wants to use either Enterprise or Federated user IDs, all using the geometrixx.com domain.  In this case, the system administrator for each of these departments would want to claim this domain for identity use. The Admin Console prevents multiple departments from claiming the same domain. However, once claimed by a single department, other departments can request access to it through the domain claim process.

The first department to claim the domain (owner) is responsible for approving any requests for access by other departments (trustees).

Manage request access by trustee organization

If you plan to use Enterprise or Federated ID on your Admin Console, you must claim the domain associated with your organization. If this domain is previously claimed by another organization, you can request access to the domain as a trustee.

Request access

To request access to a claimed domain, follow the below steps.

  1. Sign in to the Admin Console, and navigate to Settings > Identity.

  2. Click Start Claiming a Domain, or Add a Domain.

    The Add New Domain screen appears.

  3. Enter a domain name, and select the domain type.

  4. If you are setting up Federation IDs, click Next. If you are setting up Enterprise IDs, click Add New Domain.

    If another organization has already claimed the domain, you are prompted with the following message:

    Request Access To a Claimed Domain

    Note:

    If the domain has not been claimed, follow the procedure detailed in Claim a domain.

  5. To request access to the domain, click Yes.
    An email request is sent to the system administrators of the owning organization, sharing your name, email, and organization name.

When the trust request is accepted by the owner, your organization will have access to the domain as it has been configured.

Note:

The type of domain (Enterprise or Federated) depends on how it is set up by the owning organization. This implies that if the domain is already claimed, you (trustee) cannot choose or change the type of domain setup.

Check request status

After you have made a request for a claimed domain, you can check the status of the request.

  1. In the Admin Console, navigate to Settings > Identity.

    The Identity page lists the domains in your organization, along with the status of the domains.

  2. If the status of the domain is Inactive - Access Request Pending, click the domain name.

  3. You can choose to resend the request to the administrators of the owning organization. Or, you can choose to withdraw your request for the claimed domain.

    When your request to access the domain is accepted by the owning organization, you will receive an email notification.

    Access Request Pending
  4. After your access request is approved, you can manage Enterprise ID or Federated ID users in your organization for the requested domain. For more details, see Manage users.

Withdraw trustee status

As a trustee, if you no longer need access to the trusted domain, you can withdraw your trustee status at any time.

  1. On the Identity page, click the name of the domain to withdraw your trustee status.
    The details of the domain are displayed.

  2. Click Withdraw Trustee Status.

    The Withdraw Trustee Status dialog box displays.

  3. Click Withdraw.

If you withdraw your access to an owning domain, all the users of your organization are removed from the domain. Also, these users lose access to any software granted to them by your organization.

Caution:

This operation cannot be undone.

Manage request access by owning organization

As a system administrator of an owning organization, you can choose to accept or reject the requests for access to the domains that you own. 

Accept request

The admin of the owning organization receives an email notification for the domain access request, with a link to the Domain Sharing Requests page. Click the link in the email and follow the below steps to accept the request.

  1. On clicking the link in the email notification, the Domain Sharing Requests page opens.

    On the Domain sharing Requests page, click Accept, for a pending request.
    The Accept Domain Access Request dialog box appears.

    Accept domain access request

    Note:

    A trustee organization can add users to a domain that you own, but that organization cannot remove users from the domain. As the system administrators of the owning domain, you can remove users created by trustee organizations. However, if the organization withdraws its trustee status, all the users of that organization are removed from the domain.

  2. To notify all system administrators via email when new users are created, select the check box on the Accept Domain Access Request dialog box.

  3. Click Accept Request.
    An email is sent to the system administrators of the trustee organization.

  4. To view details of the domain for which you accepted the access request, click the domain name on the Identity page. Navigate to Trustees, where you can manage the new user email notifications for each trustee organization.

Reject request

You can also choose to reject the request to access a domain that you own.

  1. On the Domain Sharing Requests page, click Reject, for a pending request.

    The Reject Domain Access Request dialog box appears.

    Reject domain access request
  2. Enter a reason for rejecting the request and click Reject Request.

Note:

The reason that you provide is shared with the requesting organization. However, your email, name, and organizational information are withheld.

Revoke access

You can revoke the access of a trustee organization for which you have previously given access.

  1. In the Admin Console, navigate to Settings > Identity.

    The Identity page lists the domains in your organization.

  2. Click the domain name to revoke the access request, and navigate to Trustees.

  3. Select the check box next to the Trustee organization's name, and click Revoke Trustees.

    The Revoke Domain Access dialog box opens.

  4. Enter a reason for revocation, and click Revoke Access.

If you revoke the access of a trustee organization, all the users of the trustee organization are removed from the domain. Also, these users lose access to any software granted to them by the trustee organization.

Note:

This operation cannot be undone.

Manage users of trustee organization

When an owning organization gives access to a trustee organization, the trustee can then add users to the owning organization.

The users added by a trustee organization are managed primarily by the trustee organization itself. However, as the owning organization, you can manage the users of all trustee organizations.

You can:

  • Delete a user who has left the company (user should no longer be able to log in and receive software).
  • Troubleshoot user login issues for Federated ID users.
  • Change information about the user, such as their first or last name.

To manage users of a trustee organization, follow the below process:

Let's add something about why you might need to manage the domain user - 1) you need to delete a user that has left the company (they should no longer be able to login and receive software).  2) the user has a problem logging in using their federated ID.  This screen allows troubleshooting.3) you need to change information about the user, such as their last name.
  1. In the Admin Console, navigate to Settings > Identity.

    The Identity page lists the domains in your organization.

  2. Click the domain name to manage users, and navigate to Domain Users.

    A list of domain users is displayed, which contains all the users of this domain, including users of trustee organizations.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy