The Adobe Admin Console offers a method for enterprise users to authenticate with Adobe enterprise offerings using their existing identity management systems via integration with Single Sign-On (SSO) enabled identity management systems. Single Sign-On is enabled using SAML, an industry-standard protocol which connects enterprise identity management systems to cloud service providers like Adobe. SSO can securely exchange authentication information between two parties: the service provider (Adobe) and your Identity Provider (IdP). The service provider sends a request to your IdP, which attempts to authenticate the user. After authentication, the IdP sends a response message to sign the user in. For detailed instructions, see Configure Single Sign-On.


When deploying named user licenses, what are my options for identity types?

Adobe offers three different identity types:

  • Enterprise ID: Organization creates and owns account. Adobe manages credentials and processes sign-in.
  • Federated ID: Organization creates and owns account, links with enterprise directory via federation, enterprise company, or school manages credentials and processes sign-in via Single Sign-On.
  • Adobe ID: User creates and owns account. Adobe manages credentials and processes sign-in.

Adobe recommends organizations to choose Enterprise ID or Federated ID to control account and data ownership. For more information, go here.

Is it possible to have a mix of identity types in my deployment?

Yes, you can have a mix of Enterprise IDs, Federated IDs, and Adobe IDs, but not within the same claimed domain.

Enterprise ID and Federated ID are exclusive at the domain level. Therefore, you can choose only one of them. You can use Adobe ID in conjunction with either Federated ID or Enterprise ID.

For example, if an Enterprise claims only one domain, the IT Administrator can choose either Enterprise ID or Federated ID. If an organization claims multiple domains within an Enterprise, the IT Administrator can use one domain with Adobe IDs and Enterprise IDs, and another domain with Adobe IDs and Federated IDs, and so on. That means, for each domain, you can either have Enterprise ID or Federated ID along with Adobe ID.

What are the benefits of Federated IDs?

Management of Adobe licenses under Federated ID is faster, easier, and more secure.

  • IT administrators control authentication and the user lifecycle.
  • When you remove a user from the enterprise directory, the user no longer has privileges to access the desktop apps, services, or mobile apps.
  • Federated IDs allow organizations to leverage user identity management systems already in place.
  • Because your end-users use your organization's standard identity system, IT doesn't have to manage a separate password management process.

When signing in, your end users are redirected to your organization's standard – and familiar – Single Sign-On experience.

If I have already claimed a domain for use with Enterprise IDs, can I switch over to Federated IDs using the same domain?

The ability to switch identity types on an already claimed domain is not available yet. If you’ve claimed one or more domains to be configured as Enterprise IDs and are interested in having the same domain(s) be reconfigured as Federated IDs, submit an online support case from within the Adobe Admin Console and we will notify you when the functionality becomes available.

Can I federate my enterprise directory with Adobe using my SAML 2.0 compliant identity provider?

Yes, you can federate your enterprise directory and its login and authentication infrastructure with Adobe using your SAML 2.0 compliant identity provider.

Adobe is involved in the link between your company's identity provider and what we refer to as the Okta tenant. Adobe does not interface directly to enterprise directories; rather, identity providers.

If I claim a domain, do all Adobe IDs in that domain get migrated to Federated IDs?

No. When a domain is claimed for Federated IDs, nothing changes to existing Adobe IDs with email addresses in that domain. Existing Adobe IDs in the Admin Console are preserved.

How do I migrate content from an old Adobe ID account to a new Enterprise or Federated ID account?

Asset Migration is an automated process. When you initiate this process, all the supported content that is currently stored in your Adobe ID account is migrated to your Enterprise/Federated ID account. To learn more, see Automated Asset Migration.

Is Adobe going to support authentication, authorization or both?

Adobe’s Federated ID implementation supports authorization; authentication is handled by your Identity Provider (IdP).

As an enterprise organization, you can create a link between your authentication services (utilizing a corporate ID structure such as Active Directory) and Adobe's. This allows the enterprise organization to host the authentication. Adobe never stores passwords and IT administrators cannot reset passwords or edit user names for Federated IDs via the Adobe Admin Console.

Do I have the ability to bulk add users into the Adobe Admin Console?

Yes, via the Import Users functionality available from within the Adobe Admin Console. For more information, see Adding multiple users.

Am I able to perform a user/group association enterprise directory sync directly within the Admin Console?

No. Adobe interfaces with your identity provider and not directly to your enterprise directory. However, we support importing user and group information from your enterprise directory into the Adobe Admin Console. For more information, see Adding multiple users.

How do I migrate from Adobe IDs to Federated IDs?

Adobe recommends that all enterprise admins switch their Adobe ID users to Federated IDs. You can migrate from Adobe IDs to Federated IDs using these steps.

What identity providers does Adobe support?

Adobe uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), which means the implementation of SSO integrates easily with any identity provider that supports SAML 2.0.

Following is a list of some IdPs that are SAML 2.0 compliant:

  • Okta
  • Oracle Identity Federation
  • Microsoft ADFS
  • Microsoft Azure AD#
  • Google Federation# 
  • Ping Federate
  • Salesforce IdP with externally signed certificate
  • CA Federation
  • ForgeRock OpenAM
  • Shibboleth
  • NetIQ Access Manager
  • OneLogin
  • Novell Access Manager


#If your identity provider is Microsft Azure AD or Google, you can skip the SAML-based method and use the Azure AD Connector or the Google Federation SSO to set up SSO with the Adobe Admin Console respectively. These setups are established and managed using the Adobe Admin Console and use a sync mechanism to manage user identities and entitlements.

If I have built my own SAML-based federated authentication process, will the integration work with it?

Yes, as long as it follows the SAML 2.0 protocol.

Is it necessary to have an SAML 2.0 identity provider in place before setting up federated identity with Single Sign-On?

Yes and the identity provider must be SAML 2.0 compatible.

At a minimum, your SAML identity provider must have:

  1. IDP Certificate
  2. IDP Login URL
  3. IDP Binding: HTTP-POST or HTTP-Redirect
  4. The Assertion Consumer Service URL of the IDP and it must be able to accept SAML requests and RelayState.

Check with your identity provider if you have further questions.

Does a longer lifetime make the certificate more vulnerable?

No, breaking a 2048-bit certificate has never been done. And, the only people to have ever successfully cracked even a 768-bit certificate (the Lenstra group), estimated it would have taken them over 1000 years with the same hardware to crack even a 1024-bitcertificate (a feat roughly 32,000,000 times easier than cracking a 2048-bit certificate).

If you want to get the latest geeky data about estimates for cracking certificates of various lengths, go to this website. For a fun (accurate but marketing-oriented) picture of how secure these certificates are, go to this website (or its backing math website).

Is a longer certificate accepted by browsers, as many browsers reject server certificates with lifetimes more than three years?

No, that limit is on the certificates used to encode the communication pipe between the browser and the server. Whereas, these IdP/Okta certificates are used to sign (not encode) the data being passed through that encoded pipe. The browser never sees these certificates: they are only used between Adobe/Okta and the customer’s IdP.

Is a strong, long-term certificate expensive to get?

You can get good, commercial-grade 2048-bit certificates for about $10/year of life. And, the certificates used by IdPs can be self-signed, which means they can be generated with open-source software for free.

Can someone impersonate me if they are able to crack my IdP’s certificate?

No, because there are two other layers of strong encryption which check the IdP’s identity, that you'd have to crack before you could pose as the IdP. And, both of these other layers are not self-signed. Meaning, that you would have to crack not only the certificate that enforces the encryption but the certificate of the signer that generated that certificate.

Who do I contact for troubleshooting SSO issues?

For your premium support phone number and email address, see the Welcome email and PDF attachment that was sent to your account administrator.

Does each directory on the Admin Console require a separate endpoint for its SAML authentication requests, where endpoint is the full URL the request is redirected to? Or is it possible for an IdP to offer a single endpoint accessed by multiple directories and use the content of the received request to distinguish which directory (or domain in that directory) the request is from?

The same URL endpoint may be used for multiple directories. However, the federation metadata will be managed separately for each IdP. So, the common IdP endpoint will need to handle requests whose content is different.

Does Adobe support persistent format for the NameID element in the SAML authentication response?

Yes, if the SAML integration of the directory uses username format and the user names on the Admin Console are identical to the persistent IDs provided. However, this would require that the persistent IDs must be available at the time users are sync’d into the Admin Console. This is not a common scenario and hence, in practice, persistent format for the NameID element would not be supported.

Does Adobe support the use of the NameQualifier attribute in the NameID element? The value of the NameQualifier attribute be combined together with the value of the NameID element to produce the unique user name on the Admin Console, rather than requiring the NameID itself to be unique?

No. The NameID element value is used as the username on the Admin Console; the NameQualifier is ignored.

Adobe documentation states that SAML IdP responses must contain a first name, last name, and email assertion for each user. Are these mandatory, and do they have to match the data that is in the directory on the Admin Console?

The first name, last name, and email assertion for each user are mandatory. However, they do not have to match the data in the directory, but the email must be unique for each user.

Does Adobe support SHA256 certificates for the IdP and the service provider?

By exception only. However, this is not recommended as it leads to a lot of administrative overhead updating any part of the configuration.

Can an IT Admin provide the signing certificate that is to be used by the service provider on a per-directory basis (for signing requests and metadata)?

No. This is currently not supported.

Can Adobe provide the details of the Certificate Authority that will be used to issue the service provider certificate?

By default, Okta certificates are self-signed. By exception (and possibly for a fee) they can have the certificate signed by a public CA instead.

How to

How do I set up Single Sign-On (SSO) with Adobe software?

For detailed instructions, see Configure single sign-on to set up SSO with Adobe desktop apps, services, and mobile apps.

Is it possible to send announcements to users via the Admin Console?

No. Sending notifications to end users via the Admin Console is not supported. As an enterprise customer, you need to distribute your own announcements after users are ready to begin with SSO with Adobe software and services.

If I disable a user/ID from my enterprise directory, is it automatically disabled from Admin Console?

No, If you remove or disable a user/ID from your enterprise directory, the user/ID is not removed or disabled from the Adobe Admin Console automatically. However, the user is no longer entitled and cannot sign in to the Adobe Creative Cloud desktop apps, services, mobile apps, or Acrobat DC apps. You need to manually remove the user/ID from the Admin Console.

Do I need to manage entitlements and groups as well as assign Federated ID users to groups?

Yes, you need to use the Adobe Admin Console to manage users, groups, and entitlements. Note, however, that once you create groups in the Admin Console, you can upload a CSV file including both user and group information. This creates the user account and places them in the designated group.

Can IT administrators or end-users reset passwords for Federated IDs?

No, you cannot reset passwords for Federated IDs using the Adobe Admin Console. Adobe does not store user credentials. Use your Identity Provider for user management.

עבודה זו בוצעה ברישיון של Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  הודעות המתפרסמות ב- Twitter™‎ ו- Facebook אינן מכוסות בתנאי Creative Commons.

הצהרות משפטיות   |   מדיניות פרטיות מקוונת