• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers

Confused about sso federation

Community Beginner ,
Jan 13, 2021 Jan 13, 2021

Copy link to clipboard

Copied

Hey so i have a federeated domain attached to the admin console. We can currently single sign on. I believe this was set up through AD connect but not sure as it was done by a previous person.

The workflow was to create a user in admin console and then single sign on will work with their active directory login.

 

When i try to enable sync, it wants me to go to azure and set up a sync source. I can follow the instructions, but we already have an item in there called "adobe identity management".  I can see users authenticating to this when i use the activity -> sign ins. This application has the id of 6aba272b-e383-44cd-8eda-34c66dfd9546

 

When i get to the provisioning part, the application says:

 

Out of the box automatic provisioning to Adobe Identity Management is not supported today. Ensure that Adobe Identity Management supports the SCIM standard for provisioning and request support for the application as described here.

But i can add another application with the same exact name (adobe identity management), but the ID is bc3b7bb4-c5f4-4ce0-9345-12a8fbd56c36 . This has a working provisioning section.

 

My end goal is to get a bunch of users to sync up to creative cloud so that they can log in using a shared device license. They still appear to need an adobe account, even though the computer has a shared device license. This is all different from the last time i did it and now i am super confused.

 

Can i set up a paralel sync with the new connector? What should I do here and why is this happening?

was following this guide:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/adobe-identity-management-provisio...

 

Under authentication, it says "azure ad OIDC". The domains are there, but the sync section is blank.

 

I also read this article here: https://helpx.adobe.com/enterprise/using/azure-ad-connector-faq.html

Which says:

If you have a functioning Azure AD Connector in place, we recommend that you keep your current setup. A self-service migration feature will allow you to migrate to the new version of the Azure Sync.

We strongly recommend you to keep your Azure AD Connector setup until the self-serve migration is available. Migrating to the new Azure Sync now might disrupt services and result in loss of assets for your users.

So i need to add 60 users this week and i really dont want to do it manually. I assume they will work and be created as federated users, but again this is a manual process which sucks. Can i use two "adobe identity management" enterprise applications at the same time? or will it break everything?

 

TOPICS
Admin console , Identity and SSO

Views

1.7K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Jan 14, 2021 Jan 14, 2021

Hello ,

You need to set up a new SAML app with Adobe Identity management which will sync the users to the Adobe admin console. It seems that the setup is not configured properly and I would recommend contacting the support team who would be able to check the settings and will correct them for you. You can check this article for more details: https://helpx.adobe.com/enterprise/admin-guide.html/enterprise/using/add-azure-sync.ug.html

Likes

Translate

Translate
Adobe Employee ,
Jan 14, 2021 Jan 14, 2021

Copy link to clipboard

Copied

Hello ,

You need to set up a new SAML app with Adobe Identity management which will sync the users to the Adobe admin console. It seems that the setup is not configured properly and I would recommend contacting the support team who would be able to check the settings and will correct them for you. You can check this article for more details: https://helpx.adobe.com/enterprise/admin-guide.html/enterprise/using/add-azure-sync.ug.html

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 26, 2021 Jan 26, 2021

Copy link to clipboard

Copied

how the heck are you able to see my real name? I cant see it anywhere on my profile. what the hell.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 28, 2021 Jan 28, 2021

Copy link to clipboard

Copied

Hi there, 

 

Sorry about that, Adobe Employees review the email address you have utilized to post here to understand the type of entitlement or contract you have purchased in order to help you better. 

Our friend here might have seen the name on your profile and posted it here accidentally, I have edited and removed it for now. 

 

I hope you understand, and we are sorry for the inconvenience.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 08, 2021 Oct 08, 2021

Copy link to clipboard

Copied

Just as a short addition since I got confused similarly when migrating from the legacy Azure AD integration to SCIM provisioning: If you have configured Azure AD integration with SCIM provisioning you will see 2 enterprise applications called "Adobe Identity Management" in your Azure AD tenant.

 

Since I have switched 2 instances / customers to SCIM provisioning I have asked Adobe support why there were 2 enterprise applications with the same user-facing name, but not the same options. Here is the translated answer I got from Adobe support (in my native language):

  • Adobe Identity Management with a white background and a red Adobe logo is only used for the SCIM sync. It also shows a SAML connection, but is isn't used and doesn't need to be configured. (which by the way has the already-mentioned App ID 6aba272b-e383-44cd-8eda-34c66dfd9546) 
  • Adobe Identity Management with a red background and a white Adobe logo is being used for Open ID Connect (OIDC). Configuring SCIM sync on this app is not possible as mentioned by the original poster.

 

TL;DR: You need both and apps and (as of writing) are named the same, but fulfill different purposes if I understood it correct.

 

Also: Based on my experience with 2 instanced that I have migrated to SCIM sync, the app ID of the OIDC app is different at least for each AAD tenant.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 16, 2022 Aug 16, 2022

Copy link to clipboard

Copied

LATEST

Just to update, we finally went whole hog with this. Wanted to get it straight becuase i keep confusing myself.

 

Adobe Identity Management ODIC = only used for login auditing (can see sign-ins under sign in logs)

Adobe Identity Management = Assign users to product by assigning groups or users, then waiting 40 minutes for the sync job to run.

 

A bonus, was i was able to use the groups i created in AAD to assign products in adobe console. So now they automatically get a license assigned when they are part of that group! neat.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines