Single Sign-On with Adobe Creative Cloud for enterprise FAQ

helpx.adobe.com/ca/enterprise/using/sso-faq.html

Page Value

$ 0.1

Moz Rank 7 BackLinks -1
Alexa Rank -1 Internal URL 215
Page Authority 70 External URL 3
Title Single Sign-On with Adobe Creative Cloud for enterprise FAQ
Description Find answers to common questions about using Single Sign-On with Adobe Creative Cloud for enterprise deployments.
Keywords DocumentCloudforenterprise Reference CreativeCloudforenterprise ExperienceCloud SingleSignOn
Domain helpx.adobe.com
IP 104.123.154.168 104.123.154.139 2600:1406:6c00::17cc:911b 2600:1406:6c00::17cc:913b
Path /ca/enterprise/using/sso-faq.html
Location United States California San Jose Akamai International B.V. (AS20940 Akamai International B.V.)
Page Link Analyse
Internal URL
(215)
External URL
(3)
JavaScript File
  • /etc.dexter.dexterlibs/dexter/clientlibs/base/headIE.fp-8bbe9a4eee8062afe68ae276ac39e4ed.js
  • /etc.dexter.dexterlibs/dexter/clientlibs/base/head.fp-708e64f3024b3872af42b32eadb26e05.js
StyleSheet File
  • https://use.typekit.net/glm4yoq.css
  • /etc.dexter.dexterlibs/helpx/clientBundles/main/clientlibs.fp-51619fc8402e1710f3092a8f3420db4f.css
  • /etc.dexter.dexterlibs/helpx/clientBundles/article3Components/clientlibs.fp-a4034ed8ee001f6a038f663f1db33dbc.css
Page Text
Enterprise&TeamsLearn&SupportGetStartedUserGuideSingleSign-OncommonquestionsSearchLastupdatedon2021-08-31|AlsoAppliestoCreativeCloudforenterprise,DocumentCloudforenterprise,ExperienceCloudAdobeEnterprise&Teams:AdministrationguidePlanyourdeploymentBasicconceptsLicensingIdentityUsermanagementAppdeploymentAdminrolesDeploymentGuidesNamedUserdeploymentguideSDLdeploymentguideDeployCreativeCloudforeducationDeploymentguideIntegrationwithCanvasLMSIntegrationwithBlackboardLearnConfiguringSSOforDistrictPortalsandLMSsKivutoFAQPrimaryandSecondaryinstitutioneligibilityguidelinesSetupyourorganizationSetupidentityIdentitytypes|overviewSetuporganizationwith EnterpriseIDSetuporganizationwith FederatedIDSSOoverviewSetupAzureConnectorandsyncSetup SSOwithMicrosoftviaAzureOIDCAddAzureSynctoyourdirectoryAzureConnectorFAQSetupGoogleFederationandsyncSetup SSOwithGoogleFederationAddGoogleSynctoyourdirectoryGooglefederationFAQGenericSAMLSetupSSOwithotherSAMLprovidersSetupSSOwithMicrosoftAzureADFSSSOCommonquestionsSSOTroubleshootingEducationSSOConfigureSSOforDistrictPortalsandLMSCommonquestionsDovetailVerifyownershipofadomainAddandmanagedomainsLinkdomainstodirectoriesUsedirectorytrusttoaddpre-claimeddomainsMigratetonewauthenticationproviderAssetsettingsAuthenticationsettingsPrivacyandsecuritycontactsConsolesettingsManageencryptionManageproductsandentitlementsManageusersOverviewAdministrativerolesUsermanagementtechniquesManageusersindividually  Managemultipleusers(BulkCSV)UserSynctool(UST)UsermanagementAPI(UMAPI)MicrosoftAzureSyncGoogleFederationSyncChangeuser'sidentitytypeManageusergroupsManagedirectoryusersManagedevelopersMigrateexistinguserstotheAdobeAdminConsoleMigrateusermanagementtotheAdobeAdminConsoleManageproductsandproductprofilesManageproductsManageproductprofilesforenterpriseusersManageself-servicepoliciesManageappintegrationsManageproductpermissionsintheAdminConsole  Enable/disableservicesforaproductprofileSingleApp|CreativeCloudforenterpriseOptionalservicesManageSharedDevicelicensesWhat'snewDeploymentguideCreatepackagesRecoverlicensesMigratefromDeviceLicensingManageprofilesLicensingtoolkitSharedDeviceLicensingFAQManagestorageandassetsStorageManageenterprisestorageAdobeCreativeCloud:UpdatetostorageManageAdobestorageAssetmigrationAutomatedAssetMigrationAutomatedAssetMigrationFAQ  ManagetransferredassetsReclaimassetsfromauserStudentassetmigration|EDUonlyAutomaticstudentassetmigrationMigrateyourassetsManageservicesAdobeStockAdobeStockcreditpacksforteamsAdobeStockforenterpriseUseAdobeStockforenterpriseAdobeStockLicenseApprovalCustomfontsAdobeAssetLinkOverviewCreateusergroupConfigureAdobeExperienceManager6.xAssetsConfigureandinstallAdobeAssetLinkManageassetsAdobeAssetLinkforXDAdobeSignSetupAdobeSignforenterpriseorTeamsAdobeSign-TeamfeatureAdministratorManageAdobeSignontheAdminConsoleCreativeCloudforenterprise-freemembershipOverviewGettingstartedDeployappsandupdatesOverviewDeployanddeliverappsandupdatesPlantodeployPreparetodeployCreatepackagesPackageappsviatheAdminConsoleCreateNamedUserLicensingPackagesAdobetemplatesforpackagesManagepackagesManagedevicelicensesSerialnumberlicensingCustomizepackagesCustomizetheCreativeClouddesktopappIncludeextensionsinyourpackageDeployPackages DeploypackagesDeployAdobepackageswithSCCMDeployAdobepackageswithARDInstallproductsintheExceptionsfolderUninstallCreativeCloudproductsUseAdobeprovisioningtoolkitenterpriseeditionAdobeCreativeCloudlicensingidentifiersManageupdatesChangemanagementforAdobeenterpriseandteamscustomersDeployupdatesAdobeUpdateServerSetupTool(AUSST)AUSSTOverviewSetuptheinternalupdateserverMaintaintheinternalupdateserverCommonusecasesofAUSST  TroubleshoottheinternalupdateserverAdobeRemoteUpdateManager(RUM)UseAdobeRemoteUpdateManagerChannelIDsforusewithAdobeRemoteUpdateManagerResolveRUMerrorsTroubleshootTroubleshootCreativeCloudappsinstallationanduninstallationerrorsQueryclientmachinestocheckifapackageisdeployedCreativeCloudpackage"InstallationFailed"errormessageCreatepackagesusingCreativeCloudPackager(CC2018orearlierapps)AboutCreativeCloudPackagerCreativeCloudPackagerreleasenotesApplicationpackagingCreatepackagesusingCreativeCloudPackagerCreatenamedlicensepackagesCreatepackageswithdevicelicensesCreatealicensepackageCreatepackageswithserialnumberlicensesPackagerautomationPackagenon-CreativeCloudproductsEditandsaveconfigurationsSetlocaleatsystemlevelManageyouraccountManageyourTeamsaccountOverviewUpdatepaymentdetailsManageinvoicesChangecontractownerAssignlicensestoaTeamsuserAddproductsandlicensesRenewalsTeamsmembership:RenewalsEnterpriseinVIP:RenewalsandcompliancePurchaseRequestcomplianceValueIncentivePlan(VIP)inChinaVIPSelecthelpReports&logsAuditLogAssignmentreportsContentLogsGethelpContactAdobeCustomerCareSupportoptionsforteamsaccountsSupportoptionsforenterpriseaccountsSupportoptionsforExperienceCloudTheAdobeAdminConsole offersamethodforenterpriseuserstoauthenticatewithAdobeenterpriseofferingsusingtheirexistingidentitymanagementsystemsviaintegrationwithSingleSign-On(SSO)enabledidentitymanagementsystems.SingleSign-OnisenabledusingSAML,anindustry-standardprotocolwhichconnectsenterpriseidentitymanagementsystemstocloudserviceproviderslikeAdobe.SSOcansecurelyexchangeauthenticationinformationbetweentwoparties:theserviceprovider(Adobe)andyourIdentityProvider(IdP).TheserviceprovidersendsarequesttoyourIdP,whichattemptstoauthenticatetheuser.Afterauthentication,theIdPsendsaresponsemessagetosigntheuserin.Fordetailedinstructions,seeConfigureSingleSign-On.PlanAdobeoffersthefollowingidentitytypes:EnterpriseID: Organizationcreatesandownsaccount.Theaccountsarecreatedonaclaimeddomain.Adobemanagescredentialsandprocessessign-in.FederatedID: Organizationcreatesandownsaccount,linkswithenterprisedirectoryviafederation,enterprisecompany,orschoolmanagescredentialsandprocessessign-inviaSingleSign-On.BusinessID:Userororganizationcancreateaccountsonanypublicallyavailabledomain.Organizationownsaccountandassets.Adobemanagescredentialsandprocessessign-in.AdobeID:Usercreatesandownsaccount.Adobemanagescredentialsandprocessessign-in.Yes,youcanhaveamixofEnterpriseIDs,FederatedIDs,andAdobeIDs,butnotwithinthesameclaimeddomain.EnterpriseIDandFederatedIDareexclusiveatthedomainlevel.Therefore,youcanchooseonlyoneofthem.YoucanuseAdobeIDinconjunctionwitheitherFederatedIDorEnterpriseID.Forexample,ifanEnterpriseclaimsonlyonedomain,theITAdministratorcanchooseeitherEnterpriseIDorFederatedID.IfanorganizationclaimsmultipledomainswithinanEnterprise,theITAdministratorcanuseonedomainwithAdobeIDsandEnterpriseIDs,andanotherdomainwithAdobeIDsandFederatedIDs,andsoon.Thatmeans,foreachdomain,youcaneitherhaveEnterpriseIDorFederatedIDalongwithAdobeID.ManagementofAdobelicensesunderFederatedIDisfaster,easier,andmoresecure.ITadministratorscontrolauthenticationandtheuserlifecycle.Whenyouremoveauserfromtheenterprisedirectory,theusernolongerhasprivilegestoaccessthedesktopapps,services,ormobileapps.FederatedIDsalloworganizationstoleverageuseridentitymanagementsystemsalreadyinplace.Becauseyourend-usersuseyourorganization'sstandardidentitysystem,ITdoesn'thavetomanageaseparatepasswordmanagementprocess.Whensigningin,yourendusersareredirectedtoyourorganization'sstandard–andfamiliar–SingleSign-Onexperience.Yes.YoucanswitchoverfromEnterprisetoFederatedIDsusingthesamedomain.Fordetails,seehowtomovedomainacrossdirectories.Yes,youcanfederateyourenterprisedirectoryanditsloginandauthenticationinfrastructurewithAdobeusingyourSAML2.0compliantidentityprovider.No.WhenadomainisclaimedforFederatedIDs,nothingchangestoexistingAdobeIDswithemailaddressesinthatdomain.ExistingAdobeIDsintheAdminConsole arepreserved.AssetMigrationisanautomatedprocess.Whenyouinitiatethisprocess,allthesupportedcontentthatiscurrentlystoredinyourAdobeIDaccountismigratedtoyourEnterprise/FederatedIDaccount.Tolearnmore,see AutomatedAssetMigration.Adobe’sFederatedIDimplementationsupportsauthorization;authenticationishandledbyyourIdentityProvider(IdP).Asanenterpriseorganization,youcancreatealinkbetweenyourauthenticationservices(utilizingacorporateIDstructuresuchasActiveDirectory)andAdobe's.Thisallowstheenterpriseorganizationtohosttheauthentication.AdobeneverstorespasswordsandITadministratorscannotresetpasswordsoreditusernamesforFederatedIDsviatheAdobe AdminConsole.Yes,viatheImportUsersfunctionalityavailablefromwithintheAdobeAdminConsole.Formoreinformation,seeAddingmultipleusers.No.Adobeinterfaceswithyouridentityproviderandnotdirectlytoyourenterprisedirectory.However,wesupportimportinguserandgroupinformationfromyourenterprisedirectoryintotheAdobeAdminConsole.Formoreinformation,seeAddingmultipleusers.AdoberecommendsthatallenterpriseadminsswitchtheirAdobeIDuserstoFederatedIDs.YoucanmigratefromAdobeIDstoFederatedIDsusingthesesteps.Adobeusesthesecureandwidelyadoptedindustrystandard SecurityAssertionMarkupLanguage(SAML),whichmeanstheimplementationofSSOintegrateseasilywithanyidentityproviderthatsupportsSAML2.0.FollowingisalistofsomeIdPsthatareSAML2.0compliant:OktaOracleIdentityFederationMicrosoftADFSMicrosoftAzureAD#GoogleFederation# PingFederateSalesforceIdPwithexternallysignedcertificateCAFederationForgeRockOpenAMShibbolethNetIQAccessManagerOneLoginNovellAccessManagerNote:#IfyouridentityproviderisMicrosftAzureADorGoogle,youcanskiptheSAML-basedmethodandusetheAzureADConnector ortheGoogleFederationSSOtosetupSSOwiththeAdobeAdminConsolerespectively.ThesesetupsareestablishedandmanagedusingtheAdobeAdminConsoleanduseasyncmechanismtomanageuseridentitiesandentitlements.Yes,aslongasitfollowstheSAML2.0protocol.YesandtheidentityprovidermustbeSAML2.0compatible.Ataminimum,yourSAMLidentityprovidermusthave:IDPCertificateIDPLoginURLIDPBinding:HTTP-POSTorHTTP-RedirectTheAssertionConsumerServiceURLoftheIDPanditmustbeabletoacceptSAMLrequestsandRelayState.Checkwithyouridentityproviderifyouhavefurtherquestions.No,breakinga2048-bitcertificatehasneverbeendone.And,theonlypeopletohaveeversuccessfullycrackedevena768-bitcertificate(theLenstragroup),estimateditwouldhavetakenthemover1000yearswiththesamehardwaretocrackevena1024-bitcertificate(afeatroughly32,000,000timeseasierthancrackinga2048-bitcertificate).Ifyouwanttogetthelatestgeekydataaboutestimatesforcrackingcertificatesofvariouslengths,gotothiswebsite.Forafun(accuratebutmarketing-oriented)pictureofhowsecurethesecertificatesare,gotothiswebsite(oritsbackingmathwebsite).No,thatlimitisonthecertificatesusedtoencodethecommunicationpipebetweenthebrowserandtheserver.WhereastheseIdPcertificatesareusedtosign(notencode)thedatabeingpassedthroughthatencodedpipe.Thebrowserneverseesthesecertificates:theyareonlyusedbetweenAdobeandthecustomer’sIdP.Youcangetgood,commercial-grade2048-bitcertificatesforabout$10/yearoflife.And,thecertificatesusedbyIdPscanbeself-signed,whichmeanstheycanbegeneratedwithopen-sourcesoftwareforfree.No,becausetherearetwootherlayersofstrongencryptionwhichchecktheIdP’sidentity,thatyou'dhavetocrackbeforeyoucouldposeastheIdP.And,bothoftheseotherlayersarenotself-signed.Meaning,thatyouwouldhavetocracknotonlythecertificatethatenforcestheencryptionbutthecertificateofthesignerthatgeneratedthatcertificate.Foryourpremiumsupportphonenumberandemailaddress,seetheWelcomeemailandPDFattachmentthatwassenttoyouraccountadministrator.ThesameURLendpointmaybeusedformultipledirectories.However,thefederationmetadatawillbemanagedseparatelyforeachIdP.So,thecommonIdPendpointwillneedtohandlerequestswhosecontentisdifferent.Yes,iftheSAMLintegrationofthedirectoryusesusernameformatandtheusernamesontheAdminConsoleareidenticaltothepersistentIDsprovided.However,thiswouldrequirethatthepersistentIDsmustbeavailableatthetimeusersaresync’dintotheAdminConsole.Thisisnotacommonscenarioandhence,inpractice,persistentformatfortheNameIDelementwouldnotbesupported.No.TheNameIDelementvalueisusedastheusernameontheAdminConsole;theNameQualifierisignored.Thefirstname,lastname,andemailassertionforeachuseraremandatory.However,theydonothavetomatchthedatainthedirectory,buttheemailmustbeuniqueforeachuser.Yes.AdobesupportsSHA256certificates.Fordetails,seeSetupidentity.Yes.YouwillneedtogivetheCA-signedcertificatestoAdobecustomersupportandwewilluploaditforthem.Toproceed,signintothe AdminConsole, navigateto Support>SupportSummaryandclickCreateCase.Formore,seehowtocreateandmanagesupportcases.Bydefault,Oktacertificatesareself-signed.Byexception(andpossiblyforafee)theycanhavethecertificatesignedbyapublicCAinstead.HowtoFordetailedinstructions,seeConfiguresinglesign-ontosetupSSOwithAdobedesktopapps,services,andmobileapps.No.SendingnotificationstoendusersviatheAdminConsole isnotsupported.Asanenterprisecustomer,youneedtodistributeyourownannouncementsafterusersarereadytobeginwithSSOwithAdobesoftwareandservices.No, Ifyouremoveordisableauser/IDfromyourenterprisedirectory,theuser/IDisnotremovedordisabledfromtheAdobeAdminConsoleautomatically.However,theuserisnolongerentitledandcannotsignintotheAdobeCreativeClouddesktopapps,services,mobileapps,orAcrobatDCapps.Youneedtomanuallyremovetheuser/IDfromtheAdminConsole.Yes,youneedtousetheAdobeAdminConsole tomanageusers,groups,andentitlements.Note,however,thatonceyoucreategroupsintheAdminConsole,youcanuploadaCSVfileincludingbothuserandgroupinformation.Thiscreatestheuseraccountandplacestheminthedesignatedgroup.No,youcannotresetpasswordsforFederatedIDsusingtheAdobeAdminConsole.Adobedoesnotstoreusercredentials.UseyourIdentityProviderforusermanagement.Commonquestions:DirectorysetupFindanswerstoyourquestionsrelatedtodirectorymigration toanewauthenticationproviderandupdatingadeprecatedSAMLsetup.Beforeyoustart,ensureyoumeettheaccessrequirementstobeabletofollowtheprocedurefor migratingtoadifferentidentityprovider or updatingadeprecatedSAMLsetup.Also,considerthefollowingpointstoensureaseamlessanderror-freemigrationforyourorganization'sdirectories:AdminsmustcreateanewSAMLappontheirIdPsetuptoconfigure.Iftheyedittheexistingapp,itwillrewriteanyactiveexistingconfiguration,incurdowntime,andnullifytheabilitytoswitchbetweenavailableIdP’sintheAdobeAdminConsole.Adminsmustensureallrequiredusersareassignedto,orcanuse,thenewly-createdSAMLapp.AdminsmustensuretheusernameformatforthenewauthenticationprofileintheirIdPmatcheswhatisusedbytheexistingprofileforuserlogin.TheycanusetheTestfeatureprovidedontheauthenticationprofiletoverify.ThisTest linkcanbecopiedtoclipboardandshareitwithotherstovalidatefromtheirmachines.Adminsshouldtestthenewly-addedIdPpriortoactivationwith2to3activeaccountsofthedirectory.Errorlogswillnotbeavailableforthesefeatures.However,theTestworkflowallowstheAdmintovalidaterelevanterrorspriortoactivation. Limitationstoconsiderinclude: Onedirectorycanhaveuptotwoauthenticationprofiles,andboththeprofilesshouldbefordifferentauthenticationtypes. ThismeansMicrosoftAzureAD(whichusesOpenIDConnect)canstaywithOtherSAMLproviders,butGoogle(whichitselfusesSAML)cannotstaywithOtherSAMLprovidersinthesamedirectory. Thisfeaturedoesnotallowadminstomigratetheiridentityprovidertoenabledirectorysyncfunctionality(AzureADConnectorandGoogleConnector).AlthoughcustomersmigratingtoMicrosoftAzureorGoogleastheirIdPcanutilizeadifferentformofusermanagementstrategy.Tolearnmore,seeAdobeAdminConsoleusers.MorelikethisDeploymentPlanningLicensingIdentitymanagementUsersSetupidentityUsergroupsSignintoyouraccountSigninManageAccountQuickLinksViewyourappsManageyourplansLegalNotices   |   OnlinePrivacyPolicyEnterprise&Teams<SeeallappsLearn&SupportGetStartedUserGuideAsktheCommunityPostquestionsandgetanswersfromexperts.AsknowContactUsRealhelpfromrealpeople.Startnow^ BacktotopLanguageNavigationLanguageNavigationChooseyourregionSelectingaregionchangesthelanguageand/orcontentonAdobe.com.AmericasBrasilCanada-EnglishCanada-FrançaisLatinoaméricaMéxicoUnitedStatesAsiaPacificAustraliaHongKongS.A.R.ofChinaIndia-EnglishNewZealandSoutheastAsia(IncludesIndonesia,Malaysia,Philippines,Singapore,Thailand,andVietnam)-English中国中國香港特別行政區台灣地區日本한국Europe,MiddleEastandAfricaAfrica-EnglishBelgië-NederlandsBelgique-FrançaisBelgium-EnglishČeskárepublikaCyprus-EnglishDanmarkDeutschlandEestiEspañaFranceGreece-EnglishIrelandIsrael-EnglishItaliaLatvijaLietuvaLuxembourg-DeutschLuxembourg-EnglishLuxembourg-FrançaisMagyarországMalta-EnglishMiddleEastandNorthAfrica-EnglishNederlandNorgeÖsterreichPolskaPortugalRomâniaSchweizSlovenijaSlovenskoSuisseSuomiSvizzeraTürkiyeUnitedKingdomБългарияРоссияУкраїнаالشرقالأوسطوشمالأفريقيا-اللغةالعربيةישראל-עבריתSverige
helpx.adobe.com - Pages
Hot Host
Quickly calculate the estimated worth of your page and build reports as table.Youtube Video Analyticssitemap