Sign in to Adobe Admin Console and click Settings. On the Identity page, click Create Directory.
The Google federation (Google Connector) connects the Google Admin console to the Adobe Admin Console and simplifies the SSO-setup process. With Google Connector, you can automate the user sync and license provisioning workflows to set up SSO in just a few minutes.
If you have a functioning SAML-based SSO configured with Google Identity, we recommend that you keep your current setup. An upcoming feature will allow you to automatically migrate users and SSO configuration.
Configure Single Sign-On (SSO) with Google Admin console to manage users and entitlements for your Adobe apps and services. In this scenario, the Adobe Admin Console uses Google as the Identity Provider (IdP).
Google federation combines the processes of directory creation, domain claim, SSO-setup, SAML-app creation, and user provisioning into a simple workflow involving steps in the Google Admin console and Adobe Admin Console. Google users linked with the Adobe Admin Console are unique and can be assigned to one or more product profiles.
Once the Connector setup is complete, an initial sync imports all users from the Google Admin console. Thereafter, syncing is performed periodically to keep users in the Adobe Admin Console up to date. System Administrators of the Adobe Admin Console receive a notification email including a summary of added or removed users in case of a change.
By using the Google ID federation and sync tool, you save time and effort in the following ways:
To integrate Adobe Admin Console user management with that of Google, your organization needs the following:
The Google Connector supports multi-Google Admin Console and multi-Adobe Admin Console scenarios. Supported scenarios include:
The organization has a one-to-one relationship between a single Google Admin Console and a single Adobe Admin Console with sync established via the Google Connector to manage users and provision licenses.
The organization has multiple Adobe Admin Consoles in a primary or trustee relationship, allowing the trustee Admin Consoles to take advantage of the SSO configuration established on the primary Admin Console. The Google Connector only manages users for the primary Admin Console in such a case.
The trustee Adobe Admin Console can leverage the SSO configuration. However, users must be synced to the primary Adobe Admin Console before they are added to the trusted Admin Console manually or via user management service (such as CSV manual upload, User Sync Tool, or User Management API).
The organization has multiple Google Admin Consoles that feed a single Adobe Admin Console for user management and license provisioning. The Google Connector can establish a multi-tenant sync to a single Adobe Admin Console to enable single sign-on and user management for all connected tenants.
The organization has a single Google Admin Console feeding multiple Adobe Admin Consoles. The Google Connector can be leveraged to sync users from a single directory source to different Adobe Admin Consoles for the same organization.
If you meet the prerequisites, it's time to set up the integration and provision Adobe applications and services to your end users.
Once the sync is completed, all users are imported to the Adobe Admin Console. You can now create appropriate product profiles and associate them to users to fine-tune their product assignments. Read about how to manage products and product profiles.
Your organization can decide how to deploy applications to end users, in either an IT-managed package or self-serve download and install Creative Cloud Desktop App. See more information on packaging and deployment options.
Log into your Google Admin console and navigate to the Adobe SAML app details. To begin removing users, turn OFF the Adobe SAML app, but leave user provisioning ON.
Do not delete the Adobe SAML app, from the Google Admin console, at the start.
If the SAML app is deleted, you must recreate it. To learn more, see Enable the Adobe app step in Set up SSO via SAML for Adobe.
Once configured, Google's User Provisioning system starts to send requests to remove users from Adobe Admin Console (this process takes up to 24 hours to begin, based on Google’s active queue).
The synced user count within the established Google Directory details decreases.
If the synced user count doesn't decrease, check the User Failure section in the User Provisioning panel of your Google Admin console. If the number is not 0, click the number to troubleshoot errors.
As the process is controlled by Google, it might take time to process user-removal based on the number of users.
We recommend you to start deleting users from Directory Users after they are removed from Users section.
In the Adobe Admin Console, navigate to the Directory Users section and select the appropriate directory and remove all users.
You can select up to 100 users at a time from the bottom of the users' table for faster selection.
After users have been removed from the Directory Users section, remove associated domains. Navigate to the respective Google Sync directory Details and deselect all domains from sync.
Then, navigate to Settings > Identity > Domains; remove the domains associated with the Google directory from the list.
Your directory is now ready to delete. Select the empty directory from the Settings tab to delete it.
Important: Make sure to delete the associated Adobe SAML app in the Google Admin console to prevent new users getting synced to the Adobe Admin Console. This results in errors as no associated domains are selected in the Google Admin console.
Ensure that there are no domain trusts established to the domains being removed.
If you want to retain these trust relationships, break it temporarily while completing the remaining steps. You can associate domain trusts once the domains are re-established in the Adobe Admin Console. Learn more about directory trust.