Opomba:

If your organization still has SHA-1 authenticated directories, then seamlessly update to the enhanced security of SHA-2 certificate within the Admin Console. Add and activate a new authentication profile within your existing directory to migrate from SHA-1 to SHA-2 without any down-time. To learn more, see migrate to new authentication provider.

Note that all newly created directories have SHA-2 authentication enabled by default.

setup-dir

Set up directories: To use Enterprise IDs or Federated IDs, start by setting up a directory to which you can link one or more domains.
Learn more >


setup-domains

Set up domains: Your end users are authenticated against domains that you need to set up in the Admin Console.
Learn more >


link-domains-to-dirs

Link domains to directories: After you have set up your directories and domains, group the domains by linking them to directories.
Learn more >


dir-trusting

Directory trusting: Use directory trusting to trust system admins of other organizations.
Learn more >


cq5dam_web_1280_1280

Migrate SHA-1 directories to SHA-2: Update old SHA-1 authenticated directories to the SHA-2 profile.
Learn more >


move-domains

Move domains across directories: Structure directories by moving domains across directories within the Admin Console.
Learn More >


As a system admin on the Admin Console, one of your first tasks is to define and set up an identity system against which your end users will be authenticated. As your organization purchases licenses for Adobe products and services, you will need to provision those licenses to your end users. And for this, you will need a way to authenticate these users.

Adobe provides you with the following identity types that you can use to authenticate your end users:

  • Adobe ID
  • Enterprise ID
  • Federated ID

If you want to have separate accounts owned and controlled by your organization for users in your domain, you must use either Enterprise ID or Federated ID (for Single- Sign-On) identity types.

This article provides the details required to set up the identity system that you will need if you plan to use Enterprise ID or Federated ID to authenticate your end users.

This article provides the details required to set up the identity system that you will need if you plan to use Enterprise ID or Federated ID to authenticate your end users.

Opomba:

The set up directory and set up domain procedures described in this document are completely decoupled. This means that you can do these procedures in any order or in parallel. However, the procedure to link email domains to directories will be done only after you have completed both these procedures.

Key terms and concepts

Before we get into the procedures, these are some concepts and terms that you need to be aware of:

A directory in the Admin Console is an entity that holds resources such as users and policies like authentication. These directories are similar to LDAP or Active Directories.

Organization identity provider such as Active Directory, Microsoft Azure, Ping, Okta, InCommon, or Shibboleth.

To know more about setting up SSO for Creative Cloud with some of the commonly used IdPs, see More like this at the end of the article.

Created, owned, and managed by an organization. Adobe hosts the Enterprise ID and performs authentication, but the organization maintains the Enterprise ID. End users cannot sign up and create an Enterprise ID, nor can they sign up for additional products and services from Adobe using an Enterprise ID.

Admins create an Enterprise ID and issue it to a user. Admins can revoke access to products and services by taking over the account, or deleting the Enterprise ID to permanently block access to associated data.

The following are a few requirements and scenarios where Enterprise IDs are recommended:

  • If you need to maintain strict control over apps and services available to a user.
  • If you need emergency access to files and data associated with an ID.
  • If you need the ability to completely block or delete a user account.

Created and owned by an organization, and linked to the enterprise directory via federation. The organization manages credentials and processes Single Sign-On via a SAML2 Identity Provider (IdP).

The following are a few requirements and scenarios where Federated IDs are recommended:

  • If you want to provision users based on your organization's enterprise directory.
  • If you want to manage authentication of users.
  • If you need to maintain strict control over apps and services available to a user.
  • If you want to allow users to use the same email address add an Adobe ID.

Opomba:

The Identity Provider must be TLS 1.2 compliant.

Created, owned, and managed by the end user. Adobe performs the authentication and the end user manages the identity. Users retain complete control over files and data associated with their ID. Users can purchase additional products and services from Adobe. Admins invite users to join the organization, and can remove them. However, users cannot be locked out from their Adobe ID accounts. The admin can't delete or take over the accounts. No setup is necessary before you can start using Adobe IDs.

The following are a few requirements and scenarios, where Adobe IDs are recommended:

  • If you want to enable users to create, own, and manage their identities.
  • If you want to allow users to purchase or sign up for other Adobe products and services.
  • If users are expected to use other Adobe services, which do not currently support Enterprise or Federated IDs.
  • If users already have Adobe IDs, and associated data such as files, fonts, or settings. 
  • In educational setups, where students can retain their Adobe ID after they graduate.
  • If you have contractors and freelancers who do not use email addresses on domains you control.
  • If you have an Adobe teams contract, you will need to use this identity type

The portion of an email address after the @ symbol. To use a domain with Enterprise or Federated ID, you must first validate your ownership of that domain.

For example, if an organization owns multiple domains (geometrixx.com, support.geometrixx.com, contact.geometrixx.com) but their employees are authenticated against geometrixx.com. In this case, the organization will use the geometrixx.com domain to set up their identity on the Admin Console.

System admin

  • Works with IdP directory managers and DNS managers to set up identity in the Admin Console. This document is targeted at System admins who will have access to the Admin Console. The persona is expected to work with the other personas who (usually) will not have access to the Admin Console.

DNS manager

  • Updates DNS tokens to validate domain ownership

Identity Provider (IdP) directory manager

  • Creates connectors in the IdP

User identities are verified against an authentication source. To use Enterprise ID or Federated ID, set up your own authentication source by adding a domain. For example, if your email address is john@example.com, example.com is your domain. Adding a domain permits the creation of Enterprise IDs or Federated IDs with email addresses on the domain. A domain can be used either with Enterprise IDs or Federated IDs, but not both. You can however add multiple domains.

An organization must validate their control over a domain. An organization can also add multiple domains. However, a domain can be added only once. Known public and generic domains, such as gmail.com or yahoo.com cannot be added at all.

To know more about the Identity types, see Manage identity types.

SHA-1 and SHA-2 are certificate models responsible for the security of your directory's authentication profiles. As SHA-2 offers better security than the older SHA-1 certificates, all new and migrated authentication profiles use the SHA-2 certificate.

Create directories

To use Enterprise IDs or Federated IDs, start by creating a directory to which you can link one or more domains.

Opomba:

Adobe currently does not support IdP-initiated workflows.

If your organization has (or plans to) setup Microsoft Azure as your SSO provider, we recommend that you use our Azure connector. And, follow the steps detailed in  Set up Azure Connector: Create a directory section.

If your organization has (or plans to) setup Google federation as your SSO provider, we recommend that you use our Google connector. And, follow the steps detailed in the Set up Google Federation: Create a directory in the Adobe Admin Console section.

Use the below procedure if your organization is using one or more among the following:

  • Enterpise IDs
  • A SAML provider other than besides Azure or Google
  • Microsoft Azure or Google federation. But you're not using our connectors.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Navigate to Directories tab, click Create Directory.

  3. In the Create a Directory screen, enter a name for the directory.

  4. Choose Federated ID and click Next and proceed to step 5.

    Choose Enterprise ID and click Create Directory.

    If you create an Enterprise ID directory, you're done with this directory procedure.

    Go ahead and set up your domains.

  5. (Federated ID only) Choose Other SAML Providers click Next.

  6. Use the Add SAML profile screen to get the set up information for your identity provider.

    Some Identity Providers (IdP) accept a metadata file that you can upload, while others may require the ACS URL and the Entity ID. For example:

    • For Azure Active Directory: Upload the metadata file.
    • For Google: Copy the ACS URL and Entity ID and use these in the Google IdP software.
    • For SalesForce: Download the metadata file, extract the certificate information from the file and use that certificate information in SalesForce IdP software.

    Opomba:

    The Azure and Google options above are required if you've chosen not to use our Azure and Google connectors, respectively.

    Choose one of the methods given below options.

    Method 1:

    Click Download Adobe Metadata file.

    The metadata file is downloaded to your local disk. Use this file to configure your SAML integration with the Identity Provider.

    Method 2:

    Copy the ACS URL and the Entity ID.

    Add SAML profile
  7. Switch to your IdP application window and either upload the metadata file or specify the ACS URL and Entity ID. Once done, download the IdP metadata file.

  8. Return to the Adobe Admin Console and upload the IdP metadata file in the Add SAML Profile window and click Done.

Your directory is created.

  • If you have chosen to create an Enterprise ID identity type directory, the setup is complete.
  • If you have chosen to create a directory using the Other SAML Providers option, this directory automatically uses SHA-2 authentication. Previously created directories using SHA-1 authentication can now be updated to SHA-2, and migrated to another identity provider. For details, see Migrate to new authentication provider.

Then, you can set up domains in the Admin Console.

Set up domains

Opomba:

You do not need to manually add domains if your organization's directory is set up via Microsoft Azure AD Connector or Google Federation sync. Selected domains validated within your identity provider's setup are automatically synced to the Adobe Admin Console.

Your end users are authenticated against domains that you need to set up in the Admin Console.

To set up domains:

  1. Add domains to the Admin Console
  2. Prepare to validate domain ownership by adding a special DNS record
  3. Validate the domains

The domains that you add to the Admin Console do not need to be registered with the same IdP. However, when you link these domains to a directory, you need to link domains from different IdPs to different directories.

You cannot add a domain to the Admin Console if it has already been added to another organization's Admin Console. You can, however, request access to that domain.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. In the Domains tab, click Add Domains.

  3. On the Add Domains screen, enter one or more domains, and click Add Domains. You can only claim and validate 15 domains at a time and add remaining domains subsequently.

  4. In the Add Domains screen, verify that the list of domains and click Add Domains.

    Confirm domains to add

Your domains are now added to the Admin Console. Now, demonstrate ownership of these domains.

An organization must demonstrate their ownership of a domain. An organization can add as many domains to the Admin Console as required.

The Admin Console allows one organization to use a single DNS token to demonstrate ownership of all its domains. Also, the Admin Console does not require DNS validation for subdomains. This means that when you use the DNS token and demonstrate ownership of a domain, all subdomains of that domain are validated instantly as they are added to the Admin Console.

  1. Sign in to the Admin Console, navigate to Settings > Identity, and go to the Domains tab.

  2. Click  and choose Access DNS Token from the drop-down list.

  3. Work with your DNS manager to add a special DNS record for the domains that you have added.

  4. To verify that you own the domain, you must add a TXT record with the generated DNS token. The exact instructions depend on your domain host. For generic guidelines, see verify ownership of a domain.

  5. Add information to your DNS servers to complete this step. Let your DNS manager know in advance so that this step can be completed in a timely manner.

    Adobe periodically checks the DNS records for your domain. If the DNS records are correct, the domain is validated automatically. If you want to validate the domain immediately, you can sign into the Admin Console and validate it manually. Next, you need to validate domains.

The Admin Console attempts to validate domains you have added several times a day, so you need not take any action to validate a domain once the DNS records are properly configured.

Manually validate domains

If you need to validate your domain immediately, you can do this on the Admin Console. To manually validate your domains:

  1. Sign in to the Admin Console.

  2. Navigate to Settings > Identity and go to the Domains tab.

  3. Click Validate.

    Validate domains
  4. In the Validate Domain Ownership screen, click Validate Now.

You might receive error messages when trying to validate as it can take up to 72 hours for DNS changes to go into effect. To know more, see common questions related to DNS record.

After verifying your domain's ownership, link the validated domains to the required directories in the Admin Console.

After you have set up your directories and domains in the Admin Console, you need to link the domains to the directories.

You can link multiple domains to the same directory. However, all the domains that you link to a single directory must share identical SSO settings.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Domains tab.

  3. Click the check box to the left of the domain name and click Link to Directory.

    If you want to link multiple domains to the same directory, multi-select the check boxes for these domains.

    Link domains to directory
  4. In the Link to directory screen, choose the directory from the dropdown and click Link.

Manage users

After you've completed your Enterprise ID or Federated ID setup, you're ready to provide the purchased Adobe products and services to your users.

Read an introduction to users on the Admin Console. Or jump right in and add users to the Admin Console, using one of these methods:

Once users are added to the Admin Console, provision users by assigning them to Product Profiles.

Directory trusting

The ownership of a domain can only be claimed by a single organization. So consider the following scenario:

A company, Geometrixx, has multiple departments, each of which has their own unique Admin Console. Also, each department wants to use Federated user IDs, all using the geometrixx.com domain.  In this case, the system administrator for each of these departments would want to claim this domain for authentication. The Admin Console prevents a domain from being added to more than one different organization's Admin Console. However, once added by a single department, other departments can request access to the directory to which that domain is linked on behalf of their organization's Admin Console.

Directory trusting allows a directory owner to trust other system admins (trustees). After this, trustee organizations in the Admin Console can add users to any domain within the trusted directory.

To summarize. If you plan to use Enterprise or Federated ID on your Admin Console, you must add the domain associated with your organization. If this domain was previously added by another organization, you have to request access to the directory containing that domain as a trustee.

To request access to a directory, see the steps in the Add domains procedure in Set up domains above.

Pozor:

As an owner of a directory, if you approve an access request for that directory, the trustee organization will have access to all domains linked to that directory, as well as any domains linked to that directory in the future. So planning the domain-to-directory linking is essential as you set up the identity system in your organization.

Domain trustee

If you add existing domains to the Admin Console, you are prompted with the following message:

Request access

If you request access to this domain, your name, email, and organization name is shared with the request to the system administrators of the owning organization.

The type of directory (Enterprise or Federated) depends on how it was set up by the owning organization. This means that you must use whichever directory type was chosen by the owning organization.

Since the domain has already been set up by the owner (see Demonstrate ownership of the domains in the Set up domains for details), as the trustee, you do not need to take any additional action. When the access request is accepted by the owner, your organization will have access to the directory and all it's domains, as configured by the owning organization.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Requests tab and check the status against each directory for which you have requested access.

  3. You can also click the row item in the list of access requests and click Resend Request or Cancel Request.

If your request access to the directory is accepted by the owning organization, you receive an email notification. Your trust request disappears and instead the trusted directory and it's domains appear with the status Active (trusted) in your Directories and Domains listings.

Go ahead and add end users and user groups and assign them to product profiles.

As the trustee organization, if you no longer have a need to access the trusted directory, you may withdraw your trustee status at any time.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. In the Directories tab, click the shared directory to withdraw your access from.

  3. In the directory details drawer, click Withdraw.

If you withdraw your access to a trusted directory, any Enterprise ID or Federated ID users that belong to domains in that directory (meaning that they log in using the domain credentials) are removed from your organization. Also, these users lose access to any software granted to them by your organization.

Domain owner

As a system administrator of an owning organization, you can choose to accept or reject the requests for access to the directories that you own. 

When you get an email request for access to a directory you own, you can either choose to accept or reject the request from within the email itself. You can also go to the Access Requests tab to manage the claim requests.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Request tab.

  3. To accept all the requests, click Accept All.

    Or to accept requests for specific claims, click the check box to the left of each row and click Accept.

  4. In the Accept Access Request screen, click Accept.

An email notification is sent to the System admins of the trustee organizations.

You can also choose to reject the request for access to a directory that you own.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Access Request tab.

  3. Click the check box to the left of each row and click Reject.

  4. In the Reject Access Request screen, enter a reason for the rejecting the request and click Reject.

The reason that you provide, is shared with the requesting organization via email. However, your email, name, and organizational information is withheld.

You can revoke the access of a trustee organization for which you have previously given access.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Trustees tab.

  3. Click the check box to the left of each row and click Revoke.

  4. In the Revoke Trustee screen, click Revoke.

If you revoke the access of a trustee organization, users with Enterprise ID or Federated ID accounts on any domain in that directory are removed from the trustee's organization. Also, these users lose access to any software or services granted to them by the trustee's organization.

Manage encryption keys

Using Creative Cloud or Document Cloud for enterprise, end users can store files safely and securely. Also, users can share files and collaborate with others. Files are accessible to users via the Creative Cloud website, Creative Cloud desktop app, and Creative Cloud mobile app. Storage is available with Creative Cloud or Document Cloud for enterprise only if it is a part of your organization's agreement with Adobe.

While all data on Creative Cloud and Document Cloud is encrypted, for extra layers of control and security, you can choose to have Adobe generate a dedicated encryption key for your organization. Content is then encrypted using standard encryption with a dedicated encryption key. If necessary, you can revoke the encryption key from the Admin Console.

Dedicated encryption keys are available only with the Creative Cloud or Document Cloud for enterprise shared services plans that include storage and services.

For more details, see how to manage key encryption on the Admin Console.

Migrate to new authentication provider

If you have directories that use SHA-1 authentication, you can now seamlessly migrate from SHA-1 to SHA-2 authentication  profiles without the need to explicitly create a new directory.

Also, the migration allows you to migrate to a different identity provider for an established directory.

Pozor:

Do not remove the existing setup on your IdP until you have confirmed that the new configuration is successful with 2 to 3 active accounts of the directory.

If removed prior to verification, you lose the ability to roll back to the former configuration and incur downtime while issues are resolved. To learn more, follow migration procedure.

Access requirements

To migrate to a SHA-2 authentication profile, you need to meet the following requirements:

  • Access to your organization's Admin Console with System Administrator credentials
  • Must have the existing SHA-1 directory configured for federation in Admin Console
  • Access to configure your organization's identity provider (for example, Microsoft Azure Portal, Google Admin console, etc.)

To know about other things to consider while implementation, see Implementation Considerations.

Migration procedure

After you've ensured the access requirements and implementation considerations are met, follow the procedure below to edit your authentication profile and migrate your directory:

  1. In your Adobe Admin Console, go to Settings > Directories.

  2. Select the Edit action for the directory. Then, Select Add new IdP in the directory Details.

  3. Select the identity provider to set up the new authentication profile. Choose the identity provider (IdP) that your organization uses to authenticate users. Click Next.

  4. Based on your choice of Identity provider, follow the steps below:

    • For Azure
      Log In to Azure with your Microsoft Azure Active Directory Global Admin credentials and Accept the permission prompt. You're taken back to the Directory details in the Admin Console.

    • For Google:

      1. Copy the ACS URL and Entity Id from the Edit SAML Configuration screen displays.
      2. In a separate window, log in to the Google Admin Console with Google Admin credentials and navigate to Apps > SAML Apps.
      3. Use the + sign to add new App and select Adobe app. Then, download the IDP metadata under Option 2 and upload it to the Edit SAML Configuration in the Adobe Admin Console. Then, click Save.
      4. Confirm the Basic Information for Adobe. Enter the previously copied ACS URL and Entity ID in the Service Provider Details to finish.
      5. Last, go to Apps > SAML apps > Settings for Adobe > Service Status. Turn Service Status as ON for everyone and Save.
      Sevice status
    • For Other SAML Providers:

      1. Log in to your identity provider's application in a different window and create a new SAML app. (Do not edit the existing SAML app to prevent down-time for migration).
      2. Based on your identity provider's settings, copy the Metadata file or ACS URL and Entity ID from the Adobe Admin Console to the identity provider's settings.
      3. Upload metadata file from the identity provider setup to the Adobe Admin Console. Then, click Save.
  5. In the Adobe Admin Console > Directory details, the new authentication profile is created. Use the Test to verify whether the configuration is set up correctly to ensure all end users have access to SAML apps.

    The Test feature ensures that the username format for the new authentication profile in their IdP matches the user information for the existing profile for user login.

  6. Click Activate to migrate to the new authentication profile. Once done, the new profile displays In use.

    After activating, make sure the value of the Subject field in the assertion from the new SAML configuration matches the existing users' username format in the Admin Console.

    Pozor:

    Once a new IdP configuration is active, the Okta SHA-1 profile will remain inactive and available for seven days, after which, the inactive profile card will be automatically removed from the directory in the Adobe Admin Console. The only way to restore a removed Okta profile is to raise a support request with Adobe Engineering. 

After you've migrated your directory to SHA-2 supported SAML provider, you can move domains from other SHA-1 directories to the new directory using domain migration.

To know more about some limitations and avoid errors that you might encounter while configuring, see Common questions: Migrate directory to new authentication provider.

Move domains across directories

Organizations can structure directories by moving domains from source directories to target directories within the Admin Console. You can reorganize domain-to-directory linking based on your organization’s needs without end users losing access to their products, services, or stored assets. Consolidating domains configured for the same identity provider into a single directory streamlines management for your IT teams.

If you plan to migrate domains from a directory to another one that contains a new identity provider (Azure, Google or other SAML) with SHA-2 authentication, you need to replicate the new IdP setup in both the directories. The new IdP setup enables test login for users of all domains within the directory. Do the following based on you new identity provider:

  • For Microsoft Azure: Add a new Azure IdP to your directory and log into the same Azure tenant.
  • For Other SAML providers (including Google): Upload the same metadata file which will point to the same SAML app on your IdP.

After the domain migration is complete, users, who are part of the new directory, will still have the ability to login. This will eliminate downtime and ensure immediate access to their assigned Adobe apps and services. 

Opomba:

Users are logged out of their accounts and cannot log into a new session during domain transfer. It's recommended to edit directories in off-peak hours to minimize end user disruption.

Why move domains

You can benefit from this feature in the following scenarios:

  • You have domains in old SHA-1 supported directories and you want to move to SHA-2 supported directories.
  • You want to migrate an existing directory to another identity provider with a SHA-2 authentication profile.
  • You have directories in a trust relationship or want to share directories for trusting, without allowing access to all domains within the trusted directory.
  • You have to group directories based on organization teams and departments.
  • You have a number of directories that are linked to single domains and want to consolidate.
  • You accidentally linked a domain to an incorrect directory.
  • You want to self-serve move a domain from Enterprise ID to Federated ID or Federated ID to Enterprise ID.

Handling encrypted or trusting directories

If the source or target directories are encrypted or are in a trust relationship, you are unable to move domains directly. Follow the given instructions to move domains in these cases:
 

Use case

Suggested approach

To move a domain from one Admin Console org to another

Reach out to Adobe Customer Care

To move domains between directories that are in a trust relationship with each other

Follow the process below

To move domains between directories that are in trust relationships but not with each other

Withdraw the trust relationshipmove domains, then reestablish the trust relationship.

Pozor:

Moving domains to or from an encrypted directory is currently not supported.

Move domains

Follow the process below to transfer domains from a source directory to a target directory:

  1. Sign in to the Adobe Admin Console and go to Settings.

  2. Navigate to Domains and select the domains you want to move to the target directory. Then, click Edit Directory.

    Edit directory
  3. Select a directory from the dropdown on the Edit Directory screen. Use the toggle at the bottom to switch completion notifications on or off. Then, click Save.

    Select directory

You are sent to the Domains section under Settings > Identity. All the domains with their status are listed.

Once the domains have been transferred successfully, the system admins receive an email about the domain transfer. Next, you can edit directory names and delete empty directories as required.

Delete directories and remove domains

You can delete directory and domains from the Admin Console that are no longer in use.

Opomba:

You cannot delete a directory that has:

  • Active users
  • Linked domains
  • Trustees

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Directories tab.

  3. Click the check box to the left of one or more directory names and click Delete Directories.

  4. In the delete directories screen, click Delete.

Opomba:

You cannot remove a domain if there are users with that domain in the Admin Console or if the domain is linked to one or more directories.

  1. Sign in to the Admin Console and navigate to Settings > Identity.

  2. Go to the Domains tab.

  3. Click the check box to the left of one or more domain names and click Delete.

  4. In the Remove Domains screen, click Remove.