Set up Google federation for SSO with Adobe

The Google federation (Google Connector) connects the Google Admin console to the Adobe Admin Console and simplifies the SSO-setup process. With Google Connector, you can automate the user sync and license provisioning workflows to set up SSO in just a few minutes.

Notă:

If you have a functioning SAML-based SSO configured with Google Identity, we recommend that you keep your current setup. An upcoming feature will allow you to automatically migrate users and SSO configuration.

Workflow outline

Google federation workflow outline

Overview

Set up SSO using Google Connector (Watch: 2 min)

Configure Single Sign-On (SSO) with Google Admin console to manage users and entitlements for your Adobe apps and services. In this scenario, the Adobe Admin Console uses Google as the Identity Provider (IdP). 

Google federation combines the processes of directory creation, domain claim, SSO-setup, SAML-app creation, and user provisioning into a simple workflow involving steps in the Google Admin console and Adobe Admin Console. Google users linked with the Adobe Admin Console are unique and can be assigned to one or more product profiles.

Once the Connector setup is complete, an initial sync imports all users from the Google Admin console. Thereafter, syncing is performed periodically to keep users in the Adobe Admin Console up to date. System Administrators of the Adobe Admin Console receive a notification email including a summary of added or removed users in case of a change.

Benefits

By using the Google ID federation and sync tool, you save time and effort in the following ways:

  • No replication of steps such as domain claim, as the two Admin Consoles connect directly
  • Quick set up and initiation of the Initial sync through a seamless workflow
  • The Google Admin console becomes the one place to manage all users
  • Easy to onboard and offboard users directly from the associated groups in G-Suite
  • No additional service or API setup needed to sync to the Adobe Admin Console

Prerequisites

To integrate Adobe Admin Console user management with that of Google, your organization needs the following:

  • You are an administrator in the Google Admin console
  • You have verified domains in the Google Admin console
  • You are familiar with Google's SAML Apps catalog in G Suite

Supported integration scenarios

The Google Connector supports multi-Google Admin Console and multi-Adobe Admin Console scenarios. Supported scenarios include:

The organization has a one-to-one relationship between a single Google Admin Console and a single Adobe Admin Console with sync established via the Google Connector to manage users and provision licenses.

The organization has multiple Adobe Admin Consoles in a primary or trustee relationship, allowing the trustee Admin Consoles to take advantage of the SSO configuration established on the primary Admin Console. The Google Connector only manages users for the primary Admin Console in such a case.

The trustee Adobe Admin Console can leverage the SSO configuration. However, users must be synced to the primary Adobe Admin Console before they are added to the trusted Admin Console manually or via user management service (such as CSV manual upload, User Sync Tool, or User Management API).

The organization has multiple Google Admin Consoles that feed a single Adobe Admin Console for user management and license provisioning. The Google Connector can establish a multi-tenant sync to a single Adobe Admin Console to enable single sign-on and user management for all connected tenants.

The organization has a single Google Admin Console feeding multiple Adobe Admin Consoles. The Google Connector can be leveraged to sync users from a single directory source to different Adobe Admin Consoles for the same organization.

Set up Google Admin console Federation

If you meet the prerequisites, it's time to set up the integration and provision Adobe applications and services to your end users.

Set up your users using the Google Admin console.

Once the Google Admin console is set up and ready, follow the following steps in their respective windows (Google Admin console or Adobe Admin Console):

  1. Sign in to Adobe Admin Console and click Settings. On the Identity page, click Create Directory

  2. On the Create a Directory screen, do the following and click Start.

    • Enter a name for the directory
    • Select the Federated ID card
    Federated Id

  3. Select Google and then click Next, then click Log in to Google on the next instruction screen. You can go through the steps mentioned in the instructional screen to sync SAML settings and users from Google.

    Google

  4. You are redirected to the Google sign-in page. Enter admin email and password, then click Next. Review the consent prompts and grant permissions. Then, click Allow to give Adobe.com access to your Google account.

    Azure sign-in permission

  5. Return to Adobe Admin Console, review your G Suite information and click Confirm.

    Confirm directory details

  6. Select the domains to sync with Adobe Admin Console, click Sync, and then click Next.

    Claim domains

    Notă:

    Only the domains with the status Ownership validated can be selected and synced. Other domains need to be ownership-verified in the Google Admin console before syncing.

  7. To sync users to the Adobe Admin Console, you are required to create a SAML Adobe app and set up user provisioning in the Google Admin console. Follow the steps under the Authorize and set up user provisioning in the Google Admin console below and return to the Configure Google screen in the Adobe Admin Console. Then, click Confirm to complete the setup.

    Sync users confirmation

To sync users from the Google Admin console, you need to follow the steps below:

  1. Sign in to the Google Admin console using your admin credentials. On the Home screen, go to Apps. Then open SAML apps.

  2. Click the + sign to add a new SAML app and scroll down to select Adobe from the list. Make sure you select Adobe and not Adobe Sign from the list.

    New SAML App select

  3. Download the IDP metadata under Option 2 on the Google IdP Information screen and click Next. Go to the Configure Google screen in the Adobe Admin Console and upload this file under the Step 3: Upload Google Metadata.

    Google ID information

  4. Confirm the Basic Information for Adobe on the next screen and move to the Service Provider Details window. Enter the ACS URL and Entity ID provided on the Configure Google screen. Check the Signed Response box and click Finish.

    Service provider details

  5. On the Setting up SSO for Adobe dialog, click Setup now, then click Set up user provisioning button in the User Provisioning section.

  6. Copy the Authorization Token and the Adobe Endpoint URL from Step 4 of the Configure Google screen in the Adobe Admin Console and enter these in the Step 1 and 2 of Google User Provisioning setup respectively.

  7. On the Map Attributes step, leave the attributes unchanged and click Next. If you want to sync only some of your user groups, enter the names in the Set provisioning scope dialog, otherwise, leave this empty and sync the whole directory. Then, click Finish.

    Map attributes

  8. The User Provisioning section is displayed with the Provisioning Status as OFF. Click Edit Service and select ON for everyone in the Service Status and click Save.

    Service status

  9.  Review the User provisioning dialog and click Activate to complete set up.

  10. The provisioning status changes to ON and a summary of the sync status are displayed. Now, go to the Configure Google screen to complete setup and start the user sync.

    User provisioning

Domains and directories start to sync from the Google Admin Console. Details like users synced are displayed in the Details section under Settings tab.

Directory details

Once the sync is complete, you can assign products to the end users.

Next steps

Once the sync is completed, all users are imported to the Adobe Admin Console. You can now create appropriate product profiles and associate them to users to fine-tune their product assignments. Read about how to manage products and product profiles.

Your organization can decide how to deploy applications to end users, in either an IT-managed package or self-serve download and install Creative Cloud Desktop App. See more information on packaging and deployment options.

Delete directories and remove domains

Notă:
  • To remove a directory, you must first remove all users, domains, and trustees associated with it.
  • If you delete a user from Directory users, the user is deleted along with all the associated Creative Cloud assets. The user and the assets then, cannot be recovered.

Follow the steps below to remove all associated users and domains and delete the corresponding Google Sync directory:

  1. Log into your Google Admin console and navigate to the Adobe SAML app details. To begin removing users, turn OFF the Adobe SAML app, but leave user provisioning ON.

    Atenție:

    Do not delete the Adobe SAML app, from the Google Admin console, at the start.

    If the SAML app is deleted, you must recreate it. To learn more, see Enable the Adobe app step in Set up SSO via SAML for Adobe.

    User provisioning
    A sample Adobe SAML app configured for users' removal

    Once configured, Google's User Provisioning system starts to send requests to remove users from Adobe Admin Console (this process takes up to 24 hours to begin, based on Google’s active queue).

  2. The synced user count within the established Google Directory details decreases.

    If the synced user count doesn't decrease, check the User Failure section in the User Provisioning panel of your Google Admin console. If the number is not 0, click the number to troubleshoot errors.

    Atenție:

    As the process is controlled by Google, it might take time to process user-removal based on the number of users.

    We recommend you to start deleting users from Directory Users after they are removed from Users section.

  3. In the Adobe Admin Console, navigate to the Directory Users section and select the appropriate directory and remove all users.

    You can select up to 100 users at a time from the bottom of the users' table for faster selection.

  4. After users have been removed from the Directory Users section, remove associated domains. Navigate to the respective Google Sync directory Details and deselect all domains from sync.

    Then, navigate to Settings > Identity Domains; remove the domains associated with the Google directory from the list.

  5. Your directory is now ready to delete. Select the empty directory from the Settings tab to delete it.

  6. Important: Make sure to delete the associated Adobe SAML app in the Google Admin console to prevent new users getting synced to the Adobe Admin Console. This results in errors as no associated domains are selected in the Google Admin console. 

Notă:

Ensure that there are no domain trusts established to the domains being removed.

If you want to retain these trust relationships, break it temporarily while completing the remaining steps. You can associate domain trusts once the domains are re-established in the Adobe Admin Console. Learn more about directory trust.

Sigla Adobe

Conectați-vă la cont