Learn how to configure Adobe Experience Manage (AEM) Assets for use with the Adobe Asset Link (AAL) extension for Creative Cloud applications.

Introduction

Before Adobe Creative Cloud users with Enterprise IDs and Federated IDs can access content in AEM Assets, you must configure AEM to let users connect with AEM Assets.

The following are the broad steps required to configure an AEM instance for Adobe Asset Link:

  • Install the Asset Link support feature pack, if necessary.
  • Configure AEM.
  • Manage user access control.
  • Perform other configuration tasks.

The following instructions assume that you have basic knowledge of how to install and configure AEM Assets and administrative access on your AEM instance. If you're not familiar with these topics, contact your organization's partner, system integrator, or relevant Adobe Customer Care manager.

Install the Asset Link support feature pack

Adobe Asset Link is supported by AEM 6.4.4, or later, and AEM 6.5.0, or later (extra installation is required for AEM 6.4.0-6.4.3). Adobe recommends that an AEM deployment be updated to the latest corresponding service pack. The following table describes artifacts required to support Adobe Asset Link for different versions of AEM. In each case, they are listed in the order that they must be installed. You can install the artifacts with the AEM Package Manager (.../crx/packmgr/index.jsp). Learn more about working with AEM packages and downloading them from AEM Package Share.

AEM Version Artifacts Required Remarks
AEM 6.5.0 or later

None

Adobe Stock integration for AEM was first introduced in AEM 6.4.2.
AEM 6.4.4 or later None None
AEM 6.4.0-6.4.3 adobe-asset-link-support Public Feature Pack containing APIs used by Adobe Asset Link (See NPR-29002)

An optional configuration package can be installed to simplify installation of these versions. See details below.

Note:

This document does not apply to AEM 6.3 configuration for Adobe Asset Link.

AEM 6.3 requires extra modules to be installed. However, the AEM 6.3 maintenance roadmap does not provide extra Feature Packs for this version. Adobe recommends an upgrade to a newer AEM version. For more information about Adobe Asset Link and AEM 6.3 deployments, contact Enterprise Support for AEM, and review Configuring AEM Assets for AEM 6.3.

Certain AEM features that are accessible by Adobe Asset Link are only available in a limited range of AEM versions.

Feature exposed in Adobe Asset Link AEM version Remarks
Adobe Stock Integration for AEM

6.5.0 or later

6.4.2 or later

AEM 6.4.3 had a regression in Adobe Stock integration. It is not recommended for customers using the integration.
Visual Search 6.5.0 or later If the capability is configured in AEM, Adobe Asset Link users will have access to the "Find Similar" option in the asset action menu.

Configure AEM

You can configure AEM manually through the AEM web console and AEM CRXDE Lite. To access the web console, navigate to Tools > Operations > Web Console from the AEM web user interface. Then, choose OSGi > Configuration from the main menu. You can also navigate directly to the web console at http://[AEM_server]:[port]/system/console/configMgr.

 To access AEM CRXDE Lite, go to http://[AEM_server]:[port]/crx/de/index.jsp.

Sync handler in AEM console manager to configure AEM
Sync handler in AEM console manager to configure AEM

You can configure AEM for Adobe Asset Link manually. Adobe recommends that you install a configuration package to automate most of the configuration tasks. If you install the package, modify the configuration parameters that are described below.

Note:

If your AEM instance is already configured for user login with Adobe IMS accounts, you may not use the configuration package. Instead, follow the manual configuration instructions.

Configure AEM Assets using the configuration package

The configuration package, mentioned in the following table, automatically sets most of the required configuration settings. Use the AEM Package manager (http://[AEM server]:[port]/crx/packmgr/index.jsp) to install the adobe-asset-link-config package for AEM 6.4.0 or later and for AEM 6.5.0 and later.

AEM version Configuration package

AEM 6.5.0 and later

AEM 6.4.0 and later

adobe-asset-link-config

After you download and install the configuration package, set the following configuration properties from the AEM web console, and save the changes.

After you download and install the configuration package, open the AEM web console and find the Adobe Granite OAuth IMS Provider configuration. Click  to edit it. Set the following configuration properties, and save the changes:

Property Name Value
Group Mappings Leave empty unless desired. For details, see Group Mapping.
Organization Enter the organization ID you are using in the Adobe Admin Console. For more information about organization IDs, see Create user group.

Configure AEM manually

If you choose to not use a configuration package, or if your AEM instance is already configured to support user login with Adobe IMS accounts, perform the configuration manually. Perform these steps to manually configure AEM Assets for Adobe Asset Link:

  1. Find the Adobe Granite OAuth IMS Provider configuration and click  to edit it.

    Set the following configuration properties as indicated, and click Save.

    Property Name Value
    Authorization Endpoint https://ims-na1.adobelogin.com/ims/authorize/v1
    Profile Endpoint https://ims-na1.adobelogin.com/ims/profile/v1
    Token Endpoint https://ims-na1.adobelogin.com/ims/token/v1
    Validation URL https://ims-na1.adobelogin.com/ims/validate_token/v1
    Group Mappings Leave empty unless you have a special case. For details, see Group Mapping.
    Organization Set to the organization ID in the Adobe Admin Console.
  2. Edit Adobe Granite Bearer Authentication Handler configuration.

    Set the following configuration properties as indicated. To add the Client IDs listed, click +. Click Save.

    Property Name AEM Version Value
    Allowed OAuth client ids

    All

    • cc-europa-desktop_0_1
    • cc-europa-desktop_1_0
    • cc-europa-desktop_2_0
    • cc-europa-desktop_3_0
    • cc-europa-desktop_4_0
    • cc-europa-desktop_5_0
    • cc-europa-desktop_6_0
    • cc-europa-desktop_7_0
    • cc-europa-desktop_8_0
    • cc-europa-desktop_9_0
    • cc-europa-desktop_10_0
  3. In Adobe Granite OAuth Application and Provider configuration inspect any existing Adobe Granite OAuth Authentication Hander instances. If you find an instance with the Config ID value of ims, use it for the instructions in this procedure. Otherwise, click + to create a configuration instance.

    Set the following configuration properties as indicated, and click Save.

    Property Name Value
    Client ID Do not change
    Client Secret Do not change
    Config ID ims
    Scope AdobeID, openid, read_organizations (other values may also be in the configuration)
    Provider ID ims
    Create users Checked (true)
    User ID Property email (if this is a newly created configuration, otherwise do not change)
  4. Find the Apache Jackrabbit Oak Default Sync Handler configuration with the Sync Handler Name ims and click  to edit it.

    Set the following configuration properties as indicated, and click Save.

    Property Name Value
    User Expiration Time 15 m (For fifteen minutes, or another value as desired. For details, see Group Mapping.)
    User auto membership Do not change
    User Membership Expiration 15 m (For fifteen minutes, or another value as desired. For details, see Group Mapping.)
    User Dynamic Membership Deselected (false)
  5. Find the Adobe Granite OAuth Authentication Handler configuration and click  to edit it. Without making any changes, click Save.

  6. Each request authenticated with a bearer token incurs the overhead of three calls to Adobe IMS, user syncing, and the creation of a login-token in AEM. To overcome this overhead, Adobe Asset Link captures the login-token returned in the response from AEM and sends it with subsequent requests. For this process to work, the relative priority of the bearer authentication handler must be adjusted. Perform these steps:

    1. In a browser, open AEM CRXDE Lite (/crx/de/index.jsp), and sign in as an administrator.

    2. Navigate to /apps/system/config, locate the following file, and open its configuration in the editor window.

      • com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.config
    3. At the bottom of the file, add the following line:

      • service.ranking=I"-10"
    4. Click Save All in the upper left corner of the browser window, or press Command-S/Ctrl-S.

Manage user access control

This section describes how to manage users and their access to the AEM repository.

Group Mapping

Group mapping determines how groups in AEM correspond to groups in Adobe IMS. It plays an important role in how Adobe Asset Link users are granted permission to access AEM Assets.

When used with Adobe Asset Link, AEM delegates user management functions to Adobe IMS. AEM automatically creates users and groups that correspond to users and groups in Adobe IMS. In addition, AEM synchronizes users, groups, and group membership in AEM to match those that are found in Adobe IMS.

For example, consider a scenario where Adobe Asset Link users are members of the Adobe IMS group assetlink-users. In this case, a synchronized group named assetlink-users is created in AEM when a user from that Adobe IMS group connects to Adobe Asset Link for the first time. Each new user in the Adobe IMS group is added to that corresponding group in AEM when they connect to AEM through Adobe Asset Link for the first time.

Groups in AEM that correspond to and are synchronized with groups in Adobe IMS can be granted access directly or by making them a member of another group in AEM.

Here is an example of how permissions can be managed.

Group Examples

The following rules apply to group mappings in AEM:

  • The Group Mappings property in the Adobe Granite OAuth IMS Provider configuration should be blank.
  • Adobe Asset Link user group membership is evaluated when the user authenticates and the time period in the Sync Handler User Expiration property has expired. At this time, users may be added to and removed from groups in AEM to synchronize with what is found in Adobe IMS.
  • Avoid group name conflicts. Names used for groups that are created in Adobe IMS to manage users should be distinct from all AEM system group names. For example, they should be distinct from the dam-users group and any groups that are created by the AEM administrator. An Adobe IMS group whose name conflicts with the name of an AEM system group or manually created group may not be used to control user permissions.
  • If an Adobe IMS user connects to an AEM instance on which the user's name conflicts with a previously created AEM user, the Adobe IMS user is given another name with numbers added to make it unique.

Setup for first-time access control

Users who connect through Adobe Asset Link may only view and interact with assets after they are granted the required permission. The Group Mapping section above described how user groups are created in AEM which correspond to and are synchronized with user groups in your organization within Adobe IMS. It is recommended that the AEM administrator use these groups to manage access control for Adobe Asset Link users.

The AEM administrator should perform the following steps for each AEM group that is synchronized with an Adobe IMS group that will be used to manage user access control:

  1. Ensure that the group has a member that can be used for an initial connection from Adobe Asset Link.

  2. Use that user to log in to Adobe Asset Link, and connect to AEM. (This connection is expected to fail.)

  3. In AEM, find the group that corresponds to the group in Adobe IMS, and grant it the desired access control. For example, the new group could be made a member of the dam-users group.

  4. Close Adobe Asset Link, and restart the Creative Cloud application. Then, reopen Adobe Asset Link to verify that the user has the expected access.

Once these steps are performed, other users in the same group will be able to connect to AEM with Adobe Asset Link on their first attempt. They will automatically have the same permissions as the other users in the group.

Other configuration tasks

Adobe Asset Link users are able to connect with AEM when they are signed in to their Creative Cloud app. This authentication uses Adobe IMS technology and will create user information in AEM, if it does not exist. It is common for AEM enterprise customers to manage their users with an external identity provider that is integrated with AEM. Identity providers include Adobe IMS and other products that use the SAML and LDAP protocols. Alternatively, users may be created and managed locally in AEM.

There are a few scenarios where users who connect to AEM with Adobe Asset Link will have no conflict with existing user information stored in AEM from previous direct sign-in:

  • All usernames used for direct sign-in to AEM are distinct from usernames used in Adobe IMS for Creative Cloud sign-in.
  • Adobe IMS is used as the identity provider for direct AEM sign-in.
  • The user connects to AEM with Adobe Asset Link before direct AEM sign-in with the same account.

On the other hand, in the following scenarios, the user information created as a result of direct AEM sign-in must be updated to work with Adobe Asset Link:

  • The same username, such as the user’s email address, is used for both the account in Creative Cloud, which uses Adobe IMS, and the account in an external identity provider other than Adobe IMS.
  • The same username is used for both the account in Creative Cloud and a local AEM account.
  • The Creative Cloud accounts in Adobe IMS are Federated IDs, which are served by the same external identity provider that is integrated with AEM for direct sign-in.

AEM users created through these scenarios do not have a property that is required for users that are synchronized with Adobe IMS. The following steps may be performed as an AEM administrator with AEM CRXDE Lite and the AEM web console to update such users in AEM to work with Adobe Asset Link.

  1. With the AEM web console, locate Apache Jackrabbit Oak External PrincipalConfiguration configuration and click  to edit it. Deselect the External Identity Protection check box, and click Save.

  2. To access AEM’s User Management interface, navigate to Tools > Security > Users. Select the user you want to update, and then make a note of the end of your browser’s URL path for that user, starting with /home/users. Alternatively, you can search for the username using AEM CRXDE Lite. The user path looks something like /home/users/x/xTac082TDh-guJzzG7WM.

  3. Use AEM CRXDE Lite to navigate to the user path, select the user node, and view the properties of the node by selecting the Properties tab in the lower-middle area. This node has a jcr:primaryType property value of rep:User.

  4. At the bottom of the Properties tab area enter a Name value of rep:externalId, Type value of String, and a Value value of <rep:authorizableId>;ims, where <rep:authorizableId> is the value of the rep:authorizableId property of the node. (A semicolon is used with no spaces to separate the rep:authorizableId value from ims.)

  5. Click the Add button to the right of your new entry, and then click Save All in the upper left corner of the browser window, or press Command-S/Ctrl-S.

  6. Repeat steps 2 through 5 for any other users you want to upgrade to work with Adobe Asset Link.

  7. With the AEM web console, locate Apache Jackrabbit Oak External PrincipalConfiguration configuration and click  to edit it. Deselect the External Identity Protection check box, and click Save.

    Note:

    If the services are not restored in a few minutes, restart AEM to allow successful authentications.

After this change, an updated AEM user will be able to connect with Adobe Asset Link and will continue to be able to use the method of direct sign-in to AEM that was being used before the update. Upon successful authentication with Adobe IMS, the AEM user profile information will be synchronized with the user profile in Adobe IMS.

There is a method by which a bulk migration of multiple AEM users may be performed to enable them to work with Adobe Asset Link. Contact Adobe Care for more information and assistance with enabling this option.

As an alternative to the steps, in certain circumstances an Adobe Asset Link user may be provided quick access to AEM. These are cases where the users' pre-existing user information is found and deleted with AEM User Management or AEM CRXDE Lite prior to their connection with Adobe Asset Link. New user information is created in AEM following the connection. This approach should be used only if you are certain that there is no important data that has been added as a child of the user node. Such extra data would be any node that is child of the user node other than the tokens, preferences, profile, profiles, profiles/public, and rep:policy/* nodes.

Create query indexes

AEM contains indexes that are used for efficient queries. Many of these indexes are provided in the base product. However, there are situations when a project-specific query needs a custom index. Adobe Asset Link requires an index for efficient operation of the query that determines which assets the user has checked out. This index is already included with AEM 6.5.0 and later. The following instructions describe how to create this index in AEM 6.4.4 or later.

AEM contains indexes that are used for efficient queries. Many of these indexes are provided in the base product. However, there are situations when a project-specific query needs a custom index. Adobe Asset Link requires an index for efficient operation of the query that determines which assets the user has checked out. This index is already included with AEM 6.5.0 and later. The following instructions describe how to create this index in AEM 6.4.4 or later.

  1. In a browser, open AEM CRXDE Lite by going to /crx/de/index.jsp and sign in as admin.

  2. Locate the node at /oak:index, right-click on it and select Create > Create Node.

  3. Specify cqDrivelock as the name of the node, and set the Type to oak:QueryIndexDefinition.

  4. Add the following properties to the new node:

    1. Name: type; Type: string; Value: property
    2. Name: propertyNames; Type: Name[] (click the "Multi" button); Value: cq:drivelock
  5. Click Save All.

Configure special AEM Assets capabilities

Adobe Asset Link can interact with some capabilities available recently in AEM 6.4.4 or later versions.

Integrate with Adobe Stock

For configuration information around the Adobe Stock Integration, see Use Adobe Stock assets in AEM Assets.

Note:

AEM 6.4.4 or later versions is required for integration with Adobe Stock.

Visual search

This capability lets you search for visually similar assets directly in Adobe Asset Link when configured on AEM 6.5.0 or later. Only indexed assets are considered for this feature-based search.

Visual Search requires the same configuration steps of Enhanced Smart Tags. In addition, it requires the creation of a Lucene index and some other changes as described in the following steps.

  • Implement a workaround that makes Lucene queries a higher relative cost than the similarity search.
    • Use AEM CRXDE Lite to navigate to the /oak:index/lucene node.
    • Add the costPerEntry property of type Double with the value 10.
    • Add the costPerExecution property of type Double with the value 2.
    • Add the refresh property of type Boolean with the value true.
    • Click Save All in the upper left corner of the browser window or press Command/Ctrl-S.
  • Create a Lucene index for image features and update the predictedTags index.
    • Use AEM CRXDE Lite to navigate. to /oak:index/damAssetLucene/indexRules/dam:Asset/properties.
    • Right-click the node to create a node imageFeatures of type nt-unstructured.
    • Add the name property of type String with the value jcr:content/metadata/imageFeatures/haystack0.
    • Add the nodeScopeIndex property of type Boolean with the value of true.
    • Add the propertyIndex property of type Boolean with the value of true.
    • Add the useInSimilarity property of type Boolean with the value of true.
    • Click Save All in the upper left corner of the browser window or press Command/Ctrl-S.
    • Navigate to /oak:index/damAssetLucene/indexRules/dam:Asset/properties/predictedTags.
    • Add the similarityTags property of type Boolean with the value of true.
    • Click Save All in the upper left corner of the browser window or press Command/Ctrl-S.
    • Navigate to /oak:index/damAssetLucene.
    • Change the value of the reindex property to true.
    • Click Save All in the upper left corner of the browser window or press Command/Ctrl-S. A reindexing action is initiated. Depending on the number of assets in the repository, the action can take some time to complete.

For more information, see Enhanced Smart Tags.

Because the Visual Search capability uses a service account registered with adobe.io, the configuration requires certain permissions.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy