Hey so i have a federeated domain attached to the admin console. We can currently single sign on. I believe this was set up through AD connect but not sure as it was done by a previous person.
The workflow was to create a user in admin console and then single sign on will work with their active directory login.
When i try to enable sync, it wants me to go to azure and set up a sync source. I can follow the instructions, but we already have an item in there called "adobe identity management". I can see users authenticating to this when i use the activity -> sign ins. This application has the id of 6aba272b-e383-44cd-8eda-34c66dfd9546
When i get to the provisioning part, the application says:
Out of the box automatic provisioning to Adobe Identity Management is not supported today. Ensure that Adobe Identity Management supports the SCIM standard for provisioning and request support for the application as described here.
But i can add another application with the same exact name (adobe identity management), but the ID is bc3b7bb4-c5f4-4ce0-9345-12a8fbd56c36 . This has a working provisioning section.
My end goal is to get a bunch of users to sync up to creative cloud so that they can log in using a shared device license. They still appear to need an adobe account, even though the computer has a shared device license. This is all different from the last time i did it and now i am super confused.
Can i set up a paralel sync with the new connector? What should I do here and why is this happening?
was following this guide:
Under authentication, it says "azure ad OIDC". The domains are there, but the sync section is blank.
I also read this article here: https://helpx.adobe.com/enterprise/using/azure-ad-connector-faq.html
If you have a functioning Azure AD Connector in place, we recommend that you keep your current setup. A self-service migration feature will allow you to migrate to the new version of the Azure Sync. We strongly recommend you to keep your Azure AD Connector setup until the self-serve migration is available. Migrating to the new Azure Sync now might disrupt services and result in loss of assets for your users.
So i need to add 60 users this week and i really dont want to do it manually. I assume they will work and be created as federated users, but again this is a manual process which sucks. Can i use two "adobe identity management" enterprise applications at the same time? or will it break everything?
You need to set up a new SAML app with Adobe Identity management which will sync the users to the Adobe admin console. It seems that the setup is not configured properly and I would recommend contacting the support team who would be able to check the settings and will correct them for you. You can check this article for more details: https://helpx.adobe.com/enterprise/admin-guide.html/enterprise/using/add-azure-sync.ug.html
how the heck are you able to see my real name? I cant see it anywhere on my profile. what the hell.
Sorry about that, Adobe Employees review the email address you have utilized to post here to understand the type of entitlement or contract you have purchased in order to help you better.
Our friend here might have seen the name on your profile and posted it here accidentally, I have edited and removed it for now.
I hope you understand, and we are sorry for the inconvenience.
Just as a short addition since I got confused similarly when migrating from the legacy Azure AD integration to SCIM provisioning: If you have configured Azure AD integration with SCIM provisioning you will see 2 enterprise applications called "Adobe Identity Management" in your Azure AD tenant.
Since I have switched 2 instances / customers to SCIM provisioning I have asked Adobe support why there were 2 enterprise applications with the same user-facing name, but not the same options. Here is the translated answer I got from Adobe support (in my native language):
TL;DR: You need both and apps and (as of writing) are named the same, but fulfill different purposes if I understood it correct.
Also: Based on my experience with 2 instanced that I have migrated to SCIM sync, the app ID of the OIDC app is different at least for each AAD tenant.
Just to update, we finally went whole hog with this. Wanted to get it straight becuase i keep confusing myself.
Adobe Identity Management ODIC = only used for login auditing (can see sign-ins under sign in logs)
Adobe Identity Management = Assign users to product by assigning groups or users, then waiting 40 minutes for the sync job to run.
A bonus, was i was able to use the groups i created in AAD to assign products in adobe console. So now they automatically get a license assigned when they are part of that group! neat.