Set up identity

  1. Adobe Enterprise & Teams: Administration guide
  2. Plan your deployment
    1. Basic concepts
      1. Licensing
      2. Identity
      3. User management
      4. App deployment
      5. Admin roles
    2. Deployment Guides
      1. Named User deployment guide
      2. SDL deployment guide
    3. Deploy Creative Cloud for education
      1. Deployment guide
      2. Integration with Canvas LMS
      3. Integration with Blackboard Learn
      4. Configuring SSO for District Portals and LMSs
      5. Kivuto FAQ
      6. Primary and Secondary institution eligibility guidelines
  3. Set up your organization
    1. Set up identity
      1. Identity types | overview
      2. Set up organization with Enterprise ID
      3. Set up organization with Federated ID
        1. SSO overview
        2. Setup Azure Connector and sync
          1. Set up SSO with Microsoft via Azure OIDC
          2. Add Azure Sync to your directory
          3. Azure Connector FAQ
        3. Set up Google Federation and sync
          1. Set up SSO with Google Federation
          2. Add Google Sync to your directory
          3. Google federation FAQ
        4. Generic SAML
          1. Set up SSO with other SAML providers
          2. Set up SSO with Microsoft Azure ADFS
          3. SSO Common questions
          4. SSO Troubleshooting
        5. Education SSO
          1. Configure SSO for District Portals and LMS
          2. Common questions
          3. Dovetail
      4. Verify ownership of a domain
      5. Add and manage domains
      6. Link domains to directories
      7. Use directory trust to add pre-claimed domains
      8. Migrate to new authentication provider
    2. Asset settings
    3. Authentication settings
    4. Privacy and security contacts
    5. Console settings
    6. Manage encryption
  4. Manage products and entitlements
    1. Manage users
      1. Overview
      2. Administrative roles
      3. User management techniques
        1. Manage users individually   
        2. Manage multiple users (Bulk CSV)
        3. User Sync tool (UST)
        4. User management API (UMAPI)
        5. Microsoft Azure Sync
        6. Google Federation Sync
      4. Change user's identity type
      5. Manage user groups
      6. Manage directory users
      7. Manage developers
      8. Migrate existing users to the Adobe Admin Console
      9. Migrate user management to the Adobe Admin Console
    2. Manage products and product profiles
      1. Manage products
      2. Manage product profiles for enterprise users
      3. Manage self-service policies
      4. Manage app integrations
      5. Manage product permissions in the Admin Console  
      6. Enable/disable services for a product profile
      7. Single App | Creative Cloud for enterprise
      8. Optional services
    3. Manage Shared Device licenses
      1. What's new
      2. Deployment guide
      3. Create packages
      4. Recover licenses
      5. Migrate from Device Licensing
      6. Manage profiles
      7. Licensing toolkit
      8. Shared Device Licensing FAQ
  5. Manage storage and assets
    1. Storage
      1. Manage enterprise storage
      2. Adobe Creative Cloud: Update to storage
      3. Manage Adobe storage
    2. Asset migration
      1. Automated Asset Migration
      2. Automated Asset Migration FAQ  
      3. Manage transferred assets
    3. Reclaim assets from a user
    4. Student asset migration | EDU only
      1. Automatic student asset migration
      2. Migrate your assets
  6. Manage services
    1. Adobe Stock
      1. Adobe Stock credit packs for teams
      2. Adobe Stock for enterprise
      3. Use Adobe Stock for enterprise
      4. Adobe Stock License Approval
    2. Custom fonts
    3. Adobe Asset Link
      1. Overview
      2. Create user group
      3. Configure Adobe Experience Manager 6.x Assets
      4. Configure and install Adobe Asset Link
      5. Manage assets
      6. Adobe Asset Link for XD
    4. Adobe Sign
      1. Set up Adobe Sign for enterprise or Teams
      2. Adobe Sign - Team feature Administrator
      3. Manage Adobe Sign on the Admin Console
    5. Creative Cloud for enterprise - free membership
      1. Overview
      2. Getting started
  7. Deploy apps and updates
    1. Overview
      1. Deploy and deliver apps and updates
      2. Plan to deploy
      3. Prepare to deploy
    2. Create packages
      1. Package apps via the Admin Console
      2. Create Named User Licensing Packages
      3. Adobe templates for packages
      4. Manage packages
      5. Manage device licenses
      6. Serial number licensing
    3. Customize packages
      1. Customize the Creative Cloud desktop app
      2. Include extensions in your package
    4. Deploy Packages 
      1. Deploy packages
      2. Deploy Adobe packages with SCCM
      3. Deploy Adobe packages with ARD
      4. Install products in the Exceptions folder
      5. Uninstall Creative Cloud products
      6. Use Adobe provisioning toolkit enterprise edition
      7. Adobe Creative Cloud licensing identifiers
    5. Manage updates
      1. Change management for Adobe enterprise and teams customers
      2. Deploy updates
    6. Adobe Update Server Setup Tool (AUSST)
      1. AUSST Overview
      2. Set up the internal update server
      3. Maintain the internal update server
      4. Common use cases of AUSST   
      5. Troubleshoot the internal update server
    7. Adobe Remote Update Manager (RUM)
      1. Use Adobe Remote Update Manager
      2. Channel IDs for use with Adobe Remote Update Manager
      3. Resolve RUM errors
    8. Troubleshoot
      1. Troubleshoot Creative Cloud apps installation and uninstallation errors
      2. Query client machines to check if a package is deployed
      3. Creative Cloud package "Installation Failed" error message
    9. Create packages using Creative Cloud Packager (CC 2018 or earlier apps)
      1. About Creative Cloud Packager
      2. Creative Cloud Packager release notes
      3. Application packaging
      4. Create packages using Creative Cloud Packager
      5. Create named license packages
      6. Create packages with device licenses
      7. Create a license package
      8. Create packages with serial number licenses
      9. Packager automation
      10. Package non-Creative Cloud products
      11. Edit and save configurations
      12. Set locale at system level
  8. Manage your account
    1. Manage your Teams account
      1. Overview
      2. Update payment details
      3. Manage invoices
      4. Change contract owner
    2. Assign licenses to a Teams user
    3. Add products and licenses
    4. Renewals
      1. Teams membership: Renewals
      2. Enterprise in VIP: Renewals and compliance
    5. Purchase Request compliance
    6. Value Incentive Plan (VIP) in China
    7. VIP Select help
  9. Reports & logs
    1. Audit Log
    2. Assignment reports
    3. Content Logs
  10. Get help
    1. Contact Adobe Customer Care
    2. Support options for teams accounts
    3. Support options for enterprise accounts
    4. Support options for Experience Cloud
تحذير:

As of October 31, 2020, Adobe will discontinue support of deprecated SHA-1 and SHA-256 Pilot certificates for federated directories within Adobe Admin Console. Any directory with a warning icon requires migration. Simply select the directory, click Edit, and follow the migration procedure to migrate.

Note that all newly created directories have SHA-2 authentication enabled by default.

Set up directories: To use Enterprise IDs or Federated IDs, start by setting up a directory to which you can link one or more domains.
Learn more >

Set up domains: Your end users are authenticated against domains that you need to set up in the Admin Console.
Learn more >

Link domains to directories: After you have set up your directories and domains, group the domains by linking them to directories.
Learn more >

Directory trusting: Use directory trusting to trust system admins of other organizations.
Learn more >

Migrate SHA-1 directories to SHA-2: Update old SHA-1 authenticated directories to the SHA-2 profile.
Learn more >

Move domains across directories: Structure directories by moving domains across directories within the Admin Console.
Learn More >

As a system admin on the Admin Console, one of your first tasks is to define and set up an identity system against which your end users will be authenticated. As your organization purchases licenses for Adobe products and services, you will need to provision those licenses to your end users. And for this, you will need a way to authenticate these users.

Adobe provides you with the following identity types that you can use to authenticate your end users:

  • Business ID
  • Enterprise ID
  • Federated ID
  • Adobe ID

If you want to have separate accounts owned and controlled by your organization for users in your domain, you must use either Enterprise ID or Federated ID (for Single- Sign-On) identity types.

This article provides the details required to set up the identity system that you will need if you plan to use Enterprise ID or Federated ID to authenticate your end users.

ملاحظة:

The set up directory and set up domain procedures described in this document are completely decoupled. This means that you can do these procedures in any order or in parallel. However, the procedure to link email domains to directories will be done only after you have completed both these procedures.

Key terms and concepts

Before we get into the procedures, these are some concepts and terms that you need to be aware of:

A directory in the Admin Console is an entity that holds resources such as users and policies like authentication. These directories are similar to LDAP or Active Directories.

Organization identity provider such as Active Directory, Microsoft Azure, Ping, Okta, InCommon, or Shibboleth.

To know more about setting up SSO for Creative Cloud with some of the commonly used IdPs, see More like this at the end of the article.

Created and owned by a business. Managed by the end user. A Business ID (and all assets contained associated with this ID) is owned by the business. End users cannot sign up and create a personal Business ID, nor can they sign up for additional products and services from Adobe using a Business ID.

No setup is necessary before you can start using Business IDs. Admins invite users to join the organization, and can remove them. Admins can delete or take over the accounts. Admins create a Business ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Business ID to permanently block access to associated data. 

The following are a few requirements and scenarios where Business IDs are recommended:

Created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.

Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.

The following are a few requirements and scenarios where Enterprise IDs are recommended:

  • If you need to maintain strict control over apps and services available to a user.
  • If you need emergency access to files and data associated with an ID.
  • If you need the ability to completely block or delete a user account.

Created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).

The following are a few requirements and scenarios where Federated IDs are recommended:

  • If you want to provision users based on your organization's enterprise directory.
  • If you want to manage authentication of users.
  • If you need to maintain strict control over apps and services available to a user.
ملاحظة:

The Identity Provider must be TLS 1.2 compliant.

Created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. The admin can't delete or take over the accounts. No setup is necessary before you can start using Adobe IDs.

The following are a few requirements and scenarios, where Adobe IDs are recommended:

  • If you want to enable users to create, own, and manage their identities.
  • If you want to allow users to purchase or sign up for other Adobe products and services.
  • If users are expected to use other Adobe services, which do not currently support Enterprise or Federated IDs.
  • If users already have Adobe IDs, and associated data such as files, fonts, or settings. 
  • In educational setups, where students can retain their Adobe ID after they graduate.
  • If you have contractors and freelancers who do not use email addresses on domains you control.
  • If you have an Adobe teams contract, you will need to use this identity type

The portion of an email address after the @ symbol. To use a domain with Enterprise or Federated ID, you must first validate your ownership of that domain.

For example, if an organization owns multiple domains (geometrixx.com, support.geometrixx.com, contact.geometrixx.com) but their employees are authenticated against geometrixx.com. In this case, the organization will use the geometrixx.com domain to set up their identity on the Admin Console.

System admin

  • Works with IdP directory managers and DNS managers to set up identity in the Admin Console. This document is targeted at System admins who will have access to the Admin Console. The persona is expected to work with the other personas who (usually) will not have access to the Admin Console.

DNS manager

  • Updates DNS tokens to validate domain ownership

Identity Provider (IdP) directory manager

  • Creates connectors in the IdP

User identities are verified against an authentication source. To use Enterprise ID or Federated ID, set up your own authentication source by adding a domain. For example, if your email address is john@example.com, example.com is your domain. Adding a domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the domain. A domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however add multiple domains.

An organization must validate their control over a domain. An organization can also add multiple domains. However, a domain can be added only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be added at all.

To know more about the Identity types, see Manage identity types.

SHA-1 and SHA-2 are certificate models responsible for the security of your directory's authentication profiles. As SHA-2 offers better security than the older SHA-1 certificates, all new and migrated authentication profiles use the SHA-2 certificate.

Create directories

To use Enterprise IDs or Federated IDs, start by creating a directory to which you can link one or more domains. By default, your organization has a Business ID directory that does not require any set up. 

ملاحظة:

Adobe currently does not support IdP-initiated workflows.

If your organization has (or plans to) setup Microsoft Azure as your SSO provider, we recommend that you use our Azure connector. And, follow the steps detailed in  Set up Azure Connector: Create a directory section.

If your organization has (or plans to) setup Google federation as your SSO provider, we recommend that you use our Google connector. And, follow the steps detailed in the Set up Google Federation: Create a directory in the Adobe Admin Console section.

Use the below procedure if your organization is using one or more among the following:

  • Enterprise IDs
  • A SAML provider other than besides Azure or Google
  • Microsoft Azure or Google federation. But you're not using our connectors.
  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Navigate to Directories tab, click Create Directory.

  3. In the Create a Directory screen, enter a name for the directory.

  4. Choose Federated ID and click Next and proceed to step 5.

    Choose Enterprise ID and click Create Directory.

    If you create an Enterprise ID directory, you're done with this directory procedure.

    Go ahead and set up your domains.

  5. (Federated ID only) Choose Other SAML Providers click Next.

  6. Use the Add SAML profile screen to get the set up information for your identity provider.

    Some Identity Providers (IdP) accept a metadata file that you can upload, while others may require the ACS URL and the Entity ID. For example:

    • For Azure Active Directory: Upload the metadata file.
    • For Google: Copy the ACS URL and Entity ID and use these in the Google IdP software.
    • For SalesForce: Download the metadata file, extract the certificate information from the file and use that certificate information in SalesForce IdP software.
    ملاحظة:

    The Azure and Google options above are required if you've chosen not to use our Azure and Google connectors, respectively.

    Choose one of the methods given below options.

    Method 1:

    Click Download Adobe Metadata file.

    The metadata file is downloaded to your local disk. Use this file to configure your SAML integration with the Identity Provider.

    Method 2:

    Copy the ACS URL and the Entity ID.

    Add SAML profile

  7. Switch to your IdP application window and either upload the metadata file or specify the ACS URL and Entity ID. Once done, download the IdP metadata file.

  8. Return to the Adobe Admin Console and upload the IdP metadata file in the Add SAML Profile window and click Done.

Your directory is created.

  • If you have chosen to create an Enterprise ID identity type directory, the setup is complete.
  • If you have chosen to create a directory using the Other SAML Providers option, this directory automatically uses SHA-2 authentication. Previously created directories using SHA-1 authentication can now be updated to SHA-2, and migrated to another identity provider. For details, see Migrate to new authentication provider.

Then, you can set up domains in the Admin Console.

After you receive the email from Adobe confirming that your directory is provisioned, configure the SAML settings for the directory.

When organizations configure and enable Single Sign-On (SSO), users in that organization are able to use their corporate credentials to access Adobe software. This enables users to use a single credential to access Adobe desktop apps, services, and mobile apps.

The Adobe Admin Console offers a method for enterprise users to authenticate using their existing corporate identity. Adobe Federated IDs enable integration with a Single Sign-On (SSO) identity management system. Single Sign-On is enabled using SAML, an industry-standard protocol that connects enterprise identity management systems to cloud service providers like Adobe.

SSO can securely exchange authentication information between two parties: the service provider (Adobe) and your Identity Provider (IdP). The service provider sends a request to your IdP, which attempts to authenticate the user. If authentication is successful, the IdP sends a response message to sign in the user.

SSO requirements

To successfully set up SSO for Adobe software, IT Admins need the following:

  • An understanding of SAML 2.0
  • An Identity Provider (IdP) that supports SAML 2.0, and at a minimum must have:
    • IDP Certificate
    • IDP Login URL
    • IDP Binding: HTTP-POST or HTTP-Redirect
    • Assertion consumer service URL
    • TLS 1.2 enabled
  • Access to your DNS configuration for the domain claim process

The login URL of the IdP does not need to be externally accessible for users to be able to access it for logging in. However, if it is only reachable within the organization's internal network, users can only log in to Adobe products when they are connected to the organization's internal network either directly, via wifi or via VPN. It is not necessary for the login page to be accessible only via HTTPS, but it is recommended for security reasons.

ملاحظة:

Currently, Adobe does not support IdP-initiated SSO.

<ESAML>

Adobe’s cloud services offer SSO using a SaaS SAML 2.0 connector provided by Okta. The connector is used to communicate with your identity provider to provide authentication services. You are not required to use Okta as your identity provider service since Okta connects to many SAML 2.0 identity service providers. For more information, see SSO / Common questions.

If your organization wants to test SSO integration, it is recommended that you claim a test domain that you own, as long as your organization has an Identity Provider with identities set up in that test domain. This allows you to test the integration before you claim the main domains, until you feel comfortable with the domain claim and configuration process.

Configure SAML settings

If you already have an Identity Provider (IdP), you can easily set up your SSO configuration using the SaaS SAML 2.0 connector provided by Okta.

ملاحظة:

Okta is one of the many vendors you can choose to use as an Identity Provider.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Directories tab.

  3. Click Configure for the directory that you want to configure.

  4. In the Configure Directory screen that displays:

    IDP Certificate: To upload the certificate (.cer) that your IdP uses to sign the SAML response or assertion, click Upload.

    If you don't have the certificate, contact your Identity Provider for instructions to download the certificate file.

    Certificate tips:

    • PEM (base-64 encoded X.509) format
    • Named with a .cer filename extension (not .pem or .cert)
    • Unencrypted
    • SHA-1
    • Multi-line format (single line fails)
    • Must last a minimum of three years (it saves the maintenance over that lifespan, and does not compromise security)
    ملاحظة:

    The Okta certificates used at Adobe's side of the Federated ID handshake are 20-year certificates. This is so that you can do certificate rotation on a schedule of your own choice, rather than being forced to do it by Adobe/Okta.   

    IDP Binding: Choose the method to transmit SAML protocol messages.

    • Use HTTP-Post to transmit the authorization request via the browser using an XHTML form. The IdP also responds with a document containing an XHTML form.
    • Use HTTP-Redirect to transmit the authorization request via the SAMLRequest string parameter in the URL query string of an HTTP GET request. The IdP responds with a SAMLResponse string parameter in the URL.

    User Login Setting: Choose Email Address or Username to specify how users of this domain will identify themselves.

    IDP Issuer: Enter the entity ID of the identity provider that issues the SAML request.

    Your SAML assertion must reference this string exactly. Any difference in spelling, characters, or formatting results in an error.

    IDP Login URL: Enter the IDP login URL / SSO address. This URL is where users are redirected for authentication.

  5. Click Save.

  6. Click Download Metadata.

    The metadata file is downloaded to your local disk. Use this file to configure your SAML integration with the Identity Provider.

    Your Identity Provider requires this file to enable Single Sign-On.

    تحذير:

    For generic SAML identity providers such as OpenAthens or Shibboleth, send the username (usually email address) as the NameID in format 'unspecified'. Also, send the following attributes (case-sensitive): FirstName, LastName, Email.

    These attributes must match the entries set up via the Admin Console. If these attributes are not configured in the IDP to be sent over as part of the SAML 2.0 Connector configuration, the authentication will not work.

  7. Work with your Identity Provider (IdP) directory manager to complete the SSO configuration with your Identity Provider.

    تحذير:

    If Federated ID is active, any changes to the configuration may cause the SSO logins to fail for end users. A changed configuration generates a new metadata file that needs to be reconfigured in the IdP.

  8. After the SSO configuration with your Identity Provider is complete, sign in to the Admin Console and navigate to Settings Identity.

  9. Click Configure for the relevant directory.

  10. In the Configure Directory screen, check I have completed the configuration with Identity Provider and click Complete.

Your directory is now configured for Single Sign-On.

If you have not already done so, you can add domains to the Admin Console. If you have already added domains to the Admin Console, you can link the required domains to this directory.

Set up domains

ملاحظة:

You do not need to manually add domains if your organization's directory is set up via Microsoft Azure AD Connector or Google Federation sync. Selected domains validated within your identity provider's setup are automatically synced to the Adobe Admin Console.

Your end users are authenticated against domains that you need to set up in the Admin Console.

To set up domains:

  1. Add domains to the Admin Console
  2. Prepare to validate domain ownership by adding a special DNS record
  3. Validate the domains

The domains that you add to the Admin Console do not need to be registered with the same IdP. However, when you link these domains to a directory, you need to link domains from different IdPs to different directories.

You cannot add a domain to the Admin Console if it has already been added to another organization's Admin Console. You can, however, request access to that domain.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. In the Domains tab, click Add Domains.

  3. On the Add Domains screen, enter one or more domains, and click Add Domains. You can only claim and validate 15 domains at a time and add remaining domains subsequently.

  4. In the Add Domains screen, verify that the list of domains and click Add Domains.

Your domains are now added to the Admin Console. Now, demonstrate ownership of these domains.

An organization must demonstrate their ownership of a domain. An organization can add as many domains to the Admin Console as required.

The Admin Console allows one organization to use a single DNS token to demonstrate ownership of all its domains. Also, the Admin Console does not require DNS validation for subdomains. This means that when you use the DNS token and demonstrate ownership of a domain, all subdomains of that domain are validated instantly as they are added to the Admin Console.

  1. Sign in to the Admin Console, navigate to Settings > Identity, and go to the Domains tab.

  2. Click  and choose Access DNS Token from the drop-down list.

  3. Work with your DNS manager to add a special DNS record for the domains that you have added.

  4. To verify that you own the domain, you must add a TXT record with the generated DNS token. The exact instructions depend on your domain host. For generic guidelines, see verify ownership of a domain.

  5. Add information to your DNS servers to complete this step. Let your DNS manager know in advance so that this step can be completed in a timely manner.

    Adobe periodically checks the DNS records for your domain. If the DNS records are correct, the domain is validated automatically. If you want to validate the domain immediately, you can sign into the Admin Console and validate it manually. Next, you need to validate domains.

The Admin Console attempts to validate domains you have added several times a day, so you need not take any action to validate a domain once the DNS records are properly configured.

Manually validate domains

If you need to validate your domain immediately, you can do this on the Admin Console. To manually validate your domains:

  1. Sign in to the Admin Console.

  2. Navigate to Settings > Identity and go to the Domains tab.

  3. Click Validate.

  4. In the Validate Domain Ownership screen, click Validate Now.

You might receive error messages when trying to validate as it can take up to 72 hours for DNS changes to go into effect. To know more, see common questions related to DNS record.

After verifying your domain's ownership, link the validated domains to the required directories in the Admin Console.

Link domains to directories

After you have set up your directories and domains in the Admin Console, you need to link the domains to the directories.

You can link multiple domains to the same directory. However, all the domains that you link to a single directory must share identical SSO settings.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Domains tab.

  3. Click the check box to the left of the domain name and click Link to Directory.

    If you want to link multiple domains to the same directory, multi-select the check boxes for these domains.

  4. In the Link to directory screen, choose the directory from the dropdown and click Link.

Manage users

After you've completed your Enterprise ID or Federated ID setup, you're ready to provide the purchased Adobe products and services to your users.

Read an introduction to users on the Admin Console. Or jump right in and add users to the Admin Console, using one of these methods:

Once users are added to the Admin Console, provision users by assigning them to Product Profiles.

Directory trusting

The ownership of a domain can only be claimed by a single organization. So consider the following scenario:

A company, Geometrixx, has multiple departments, each of which has their own unique Admin Console. Also, each department wants to use Federated user IDs, all using the geometrixx.com domain.  In this case, the system administrator for each of these departments would want to claim this domain for authentication. The Admin Console prevents a domain from being added to more than one organization's Admin Console. However, once added by a single department, other departments can request access to the directory to which that domain is linked on behalf of their organization's Admin Console.

Directory trusting allows a directory owner to trust other system admins (trustees). After this, trustee organizations in the Admin Console can add users to any domain within the trusted directory.

To summarize, you must add a domain if you plan to use Enterprise ID or Federated ID on your Admin Console. If another organization has already added this domain, you have to request trustee access to the directory containing this domain. However, when the trustee organization adds users to the trusted domains, they are added as Business ID users.

To request access to a directory, see the steps in the Add domains procedure in Set up domains.

تحذير:
  • As an owner of a directory, if you approve an access request for a directory, the trustee organization will have access to all domains linked to the directory, as well as any domains linked to that directory in the future. So planning the domain-to-directory linking is essential as you set up the identity system in your organization.
  • Before adding, requesting, revoking, or withdrawing a trust request, we strongly recommend that you export a user list from the Admin Console or Consoles involved prior to making changes. This list will provide a snapshot of all user data, including name, email, assigned product profiles, and assigned admin roles in case you need to rollback.
  • There are specific steps to follow to migrate a domain that includes a trust relationship. You should not revoke a trust relationship when migrating a trusted domain to prevent loss of user account and product access in the trustee’s organization.

Domain trustee

If you add existing domains to the Admin Console, you are prompted with the following message:

If you request access to this domain, your name, email, and organization name is shared with the request to the system administrators of the owning organization.

The new directory type is Business ID and user authentication depends on how it was set up by the owning organization.

Since the domain has already been set up by the owner (see Demonstrate ownership of the domains in the Set up domains for details), as the trustee, you do not need to take any additional action. When the access request is accepted by the owner, your organization can access the directory and all its domains, as configured by the owning organization.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Requests tab and check the status against each directory for which you have requested access.

  3. You can also click the row item in the list of access requests and click Resend Request or Cancel Request.

If your request access to the directory is accepted by the owning organization, you receive an email notification. Your trust request disappears and instead the trusted directory and its domains appear with the status Active (trusted) in your Directories and Domains listings.

Go ahead and add users and user groups and assign them to product profiles.

As the trustee organization, if you no longer have a need to access the trusted directory, you may withdraw your trustee status at any time.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. In the Directories tab, click the shared directory to withdraw your access from.

  3. In the directory details drawer, click Withdraw.

If you withdraw your access to a trusted directory, any users associated with the domains in that directory are removed from your organization. However, these users could still access their assigned apps, services, and storage.

To stop users from using the software, remove them from Admin Console > Users > Remove users. Then, you can reclaim the deleted users' assets since your organization owns these assets.

Domain owner

As a system administrator of an owning organization, you can choose to accept or reject the requests for access to the directories that you own. 

When you get an email request for access to a directory you own, you can either choose to accept or reject the request from within the email itself. You can also go to the Access Requests tab to manage the claim requests.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Request tab.

  3. To accept all the requests, click Accept All.

    Or to accept requests for specific claims, click the check box to the left of each row and click Accept.

  4. In the Accept Access Request screen, click Accept.

An email notification is sent to the System admins of the trustee organizations.

You can also choose to reject the request for access to a directory that you own.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Request tab.

  3. Click the check box to the left of each row and click Reject.

  4. In the Reject Access Request screen, enter a reason for the rejecting the request and click Reject.

The reason that you provide, is shared with the requesting organization via email. However, your email, name, and organizational information are withheld.

You can revoke the access of a trustee organization for which you have previously given access.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Trustees tab.

  3. Click the check box to the left of each row and click Revoke.

  4. In the Revoke Trustee screen, click Revoke.

If you revoke access to a trusted directory, any users associated with the domains in that directory are removed from the trusted directory. However, these users could still access their assigned apps, services, and storage.

To stop users from using the software, trustee admins can remove them from Admin Console > Users Remove users. Then, they can reclaim the deleted users' assets since the trustee organization owns these assets.

Manage encryption keys

Using Creative Cloud or Document Cloud for enterprise, end users can store files safely and securely. Also, users can share files and collaborate with others. Files are accessible to users via the Creative Cloud website, Creative Cloud desktop app, and Creative Cloud mobile app. Storage is available with Creative Cloud or Document Cloud for enterprise only if it is a part of your organization's agreement with Adobe.

While all data on Creative Cloud and Document Cloud is encrypted, for extra layers of control and security, you can choose to have Adobe generate a dedicated encryption key for your organization. Content is then encrypted using standard encryption with a dedicated encryption key. If necessary, you can revoke the encryption key from the Admin Console.

Dedicated encryption keys are available only with the Creative Cloud or Document Cloud for enterprise shared services plans that include storage and services.

For more details, see how to manage key encryption on the Admin Console.

Migrate to new authentication provider

A self-service option is available to migrate established directories to a new authentication provider within the Adobe Admin Console.

تحذير:

Do not remove the existing setup on your IdP until you have confirmed that the new configuration is successful with 2 to 3 active accounts of the directory.

If removed prior to verification, you lose the ability to roll back to the former configuration and incur downtime while issues are resolved. To learn more, follow migration procedure.

Access requirements

To migrate to a new authentication provider, you need to meet the following requirements:

  • Access to your organization's Admin Console with System Administrator credentials
  • Must have an existing directory configured for federation in Admin Console
  • Access to configure your organization's identity provider (for example, Microsoft Azure Portal, Google Admin console, etc.)

Additional information can be found in Implementation Considerations.

Migration procedure

After you've ensured the access requirements and implementation considerations are met, follow the procedure below to edit your authentication profile and migrate your directory:

  1. In your Adobe Admin Console, go to Settings > Directories.

  2. Select the Edit action for the directory. Then, Select Add new IdP in the directory Details.

  3. Select the identity provider to set up the new authentication profile. Choose the identity provider (IdP) that your organization uses to authenticate users. Click Next.

  4. Based on your choice of Identity provider, follow the steps below:

    • For Azure
      Log In to Azure with your Microsoft Azure Active Directory Global Admin credentials and Accept the permission prompt. You're taken back to the Directory details in the Admin Console.

      ملاحظة:
      • The Microsoft Global Admin login is only required to create an application in the organization's Azure Portal. The Global Admin's login information is not stored, and only used for the one-time permission to create the application.
      • When selecting the identity provider for Step 3 above, the Microsoft Azure option should not be used if the Username field in the Adobe Admin Console does not match the UPN field in Azure Portal.
        If the existing directory is configured to pass Username as the User Login Setting, the new IdP should be established under the Other SAML Providers' option. The login setting can be confirmed by selecting Edit option in the current directory under User Login Setting.
      • Choosing the Microsoft Azure' option in Step 3 only configures the identity provider and does not include directory sync services at this time.
    • For Google:

      1. Copy the ACS URL and Entity Id from the Edit SAML Configuration screen displays.
      2. In a separate window, log in to the Google Admin Console with Google Admin credentials and navigate to Apps > SAML Apps.
      3. Use the + sign to add new App and select Adobe app. Then, download the IDP metadata under Option 2 and upload it to the Edit SAML Configuration in the Adobe Admin Console. Then, click Save.
      4. Confirm the Basic Information for Adobe. Enter the previously copied ACS URL and Entity ID in the Service Provider Details to finish. Note that there is no need to set up User Provisioning as this is not currently supported for existing directories.
      5. Last, go to Apps > SAML apps > Settings for Adobe > Service Status. Turn Service Status as ON for everyone and Save.
      Sevice status

    • For Other SAML Providers:

      1. Log in to your identity provider's application in a different window and create a new SAML app. (Do not edit the existing SAML app to prevent down-time for migration).
      2. Based on your identity provider's settings, copy the Metadata file or ACS URL and Entity ID from the Adobe Admin Console to the identity provider's settings.
      3. Upload metadata file from the identity provider setup to the Adobe Admin Console. Then, click Save.
  5. In the Adobe Admin Console > Directory details, the new authentication profile is created. Use the Test to verify whether the configuration is set up correctly to ensure all end users have access to SAML apps.

    The Test feature ensures that the username format for the new authentication profile in their IdP matches the user information for the existing profile for user login.

  6. Click Activate to migrate to the new authentication profile. Once done, the new profile displays In use.

    Before activating, go to Directory users in the Adobe Admin Console > check that the identity provider usernames match Admin Console usernames.

    For SAML, make sure that Subject field in the assertion from the new configuration matches the existing users' username format in the Admin Console.  

    تحذير:

    As of October 31, 2020, Adobe will discontinue support of deprecated SAML setups (including the SHA-256 Pilot) for federated directories within Adobe Admin Consoles.

    Once a new authentication profile with the SAML update is active, the deprecated profile will remain inactive and available for seven days. After 7 days, the inactive profile card will automatically be removed from the directory in the Adobe Admin Console. The only way to restore a removed deprecated profile is to raise a support request with Adobe Engineering.  

After you've updated your directory setup, you can move domains from other SHA-1 directories to the new directory using domain migration. Note that users of the migrated domains must be in the identity provider that is configured to work with the new target directory.

To know more about limitations and avoid errors that you might encounter while configuring, see Common questions.

Move domains across directories

Organizations can structure directories by moving domains from source directories to target directories within the Admin Console. You can reorganize domain-to-directory linking based on your organization’s needs without end users losing access to their products, services, or stored assets. Consolidating domains configured for the same identity provider into a single directory streamlines management for your IT teams.

If you plan to migrate domains from a directory to another one that contains a new identity provider (Azure, Google or other SAML) with SHA-2 authentication, you need to replicate the new IdP setup in both the directories. The new IdP setup enables test login for users of all domains within the directory. Do the following based on your new identity provider:

  • For Microsoft Azure: Add a new Azure IdP to your directory and log into the same Azure tenant.
  • For Other SAML providers (including Google): Upload the same metadata file which will point to the same SAML app on your IdP.

After the domain migration is complete, users, who are part of the new directory, will still have the ability to log in. This will eliminate downtime and ensure immediate access to their assigned Adobe apps and services. 

تحذير:
  • Users are logged out of their accounts and cannot log into a new session during domain transfer. It's recommended to edit directories in off-peak hours to minimize end user disruption.
  • There are specific steps to follow to migrate a domain that includes a trust relationship.  You should not revoke a trust relationship when migrating a trusted domain to prevent loss of user account and product access in the trustee’s organization.
  • Before any domain migration, we strongly recommend that you export a user list from the Admin Console or Consoles involved prior to making changes. This list will provide a snapshot of all user data, including name, email, assigned product profiles and assigned admin roles in the case a rollback needs to be performed. 

Why move domains

You can benefit from this feature in the following scenarios:

  • You have domains in old SHA-1 supported directories and you want to move to SHA-2 supported directories.
  • You want to migrate an existing directory to another identity provider with a SHA-2 authentication profile.
  • You have directories in a trust relationship or want to share directories for trusting, without allowing access to all domains within the trusted directory.
  • You have to group directories based on organization teams and departments.
  • You have a number of directories that are linked to single domains and want to consolidate.
  • You accidentally linked a domain to an incorrect directory.
  • You want to self-serve move a domain from Enterprise ID to Federated ID or Federated ID to Enterprise ID.

Handling encrypted or trusted directories

If the source or target directories are encrypted or are in a trust relationship, you are unable to move domains directly. Follow the given instructions to move domains in these cases:
 

Use case

Example

Suggested approach

To move domains between directories that are in the same trust relationship

Directory 1 and Directory 2 are configured in Console A and both have a trust relationship established with Console B.

Follow the move domain process.

To move domains between directories that are in trust relationships

* See Figure A for process diagrams

Directory 1 is configured in Console A and has a trust relationship established with Console B.

Within Console A, a domain in Directory 1 (Domain X) needs to move to Directory 2.

  1. Export a user list from the Console that owns the trust and all trustee Consoles prior to making changes.
  2. Establish a trust between all trustees and the destination directory (Directory 2) in Console A.
  3. Move domains from current directory (Directory 1) to destination directory (Directory 2) in Console A.
  4. Revoke trust relationship from trustees in Directory 1 in Console A.
  5. Trustee removes revoked domain from Console B (repeat this step for additional trustees).
  6. When Directory 1 is in an empty state with no domains or trusts, you can delete the empty directory.

To move a domain or directory containing multiple domains to another Admin Console in your organization

Directory 1 is configured in Console A. But Directory 1 and its claimed domains need to move to Console B for ownership.

Reach out to Adobe Customer Care.

To move domains to or from an encrypted directory within the same Admin Console.

Directory 1 has encryption turned ON, and a domain from Directory 2 in the same Admin Console requires migration to Directory 1.

Moving domains to or from an encrypted directory is currently not supported.

Original state

Original state

Trusting State

Trusting state

Migrated State

Migrated State

Figure A

Move domains

Follow the process below to transfer domains from a source directory to a target directory:

  1. Sign in to the Adobe Admin Console and go to Settings.

  2. Navigate to Domains and select the domains you want to move to the target directory. Then, click Edit Directory.

    Edit directory

  3. Select a directory from the dropdown on the Edit Directory screen. Use the toggle at the bottom to switch completion notifications on or off. Then, click Save.

    Select directory

You are sent to the Domains section under Settings > Identity. All the domains with their status are listed.

Once the domains have been transferred successfully, the system admins receive an email about the domain transfer. Next, you can edit directory names and delete empty directories as required.

Delete directories and remove domains

You can delete directory and domains from the Admin Console that are no longer in use.

ملاحظة:

You cannot delete a directory that has:

  • Active users
  • Linked domains
  • Trustees
  • Default Business ID directories
  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Directories tab.

  3. Click the check box to the left of one or more directory names and click Delete Directories.

  4. In the delete directories screen, click Delete.

ملاحظة:

You cannot remove a domain if there are users with that domain in the Admin Console or if the domain is linked to one or more directories.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Domains tab.

  3. Click the check box to the left of one or more domain names and click Delete.

  4. In the Remove Domains screen, click Remove.

شعار Adobe

تسجيل الدخول إلى حسابك