Configure Adobe Experience Manager 6.x Assets for Adobe Asset Link

Applies to enterprise.

Learn how to configure Adobe Experience Manage (AEM) Assets for use with the Adobe Asset Link (AAL) extension for Creative Cloud applications.

Adobe Asset Link streamlines collaboration between creatives and marketers in the content creation process. It connects Adobe Experience Manager Assets with Creative Cloud desktop apps Adobe InDesign, Adobe Photoshop, and Adobe Illustrator. The Adobe Asset Link panel allows creatives to access and modify content stored in AEM Assets without leaving the creative apps they are most familiar with.

Note:

See instructions to configure Adobe Experience Manager Assets as a Cloud Service, if you are using that offering.

To configure Experience Manager Assets to be used with Asset Link, implement the following tasks. Use Experience Manager administrator account to do the configuration.

  1. Install packages as required. Details are in prerequisites.

  2. Configure Experience Manager either manually or using a package.

  3. Manage user access control to map Creative Cloud licensed users with Experience Manager users.

Prerequisites and support for various functionalities

Ensure that you install the appropriate service pack and package as necessary. See the following requirements for each AEM version and for specific AEM capabilities.

Assets capability

AEM version and requirements for support

Asset Link works by default

  • AEM 6.5 and AEM 6.5.2 or later.
  • AEM 6.4.4 and AEM 6.4.6 or later.

Adobe recommends installing the latest AEM service pack (SP) before using AAL.

Asset Link works after installing a package

For AEM 6.4.0-6.4.3, install adobe-asset-link-support package.

Adobe Stock integration

AEM 6.4.2 or later

Visual or Similarity search

AEM 6.5.0 or later

Configure Experience Manager using the configuration package

Adobe recommends that you install adobe-asset-link-config configuration package to automate most of the configuration tasks, followed by a few manual tasks. Alternatively, you can configure manually.

Caution:

If your AEM instance is configured for user login with Adobe IMS accounts, do not use the configuration package. Instead, manually configure AEM.

  1. To open Package Manager, in AEM web interface, access Tools > Deployment > Package Share. Install adobe-asset-link-config package.

  2. Access Tools > Operations > Web Console. Locate Adobe Granite OAuth IMS Provider configuration. Click  to edit it. Set the following properties and save the changes.

    Property Name

    Value

    Group Mappings

    Leave empty unless desired. For details, see Group Mapping.

    Organization

    Enter the organization ID you are using in the Adobe Admin Console. For more information about organization IDs, see Create user group.

  3. Locate Adobe Granite Bearer Authentication Handler configuration, and click  to edit it.

    Add InDesignAem2 Client IDs to the Allowed OAuth client ids configuration property.

Manually configure AEM

Manually configure AEM if you choose not to use a configuration package or if your AEM deployment is configured to support user login with Adobe IMS accounts. To configure manually, follow these steps.

  1. To access the configuration manager, access Tools > Operations > Web Console. Select OSGi > Configuration from the menu at the top.

  2. Locate the Adobe Granite OAuth IMS Provider configuration and click  to edit it. Set the following configuration and click Save.

    Property Name

    Value

    Authorization Endpoint

    https://ims-na1.adobelogin.com/ims/authorize/v1

    Token Endpoint

    https://ims-na1.adobelogin.com/ims/token/v1

    Profile Endpoint

    https://ims-na1.adobelogin.com/ims/profile/v1

    Validation URL

    https://ims-na1.adobelogin.com/ims/validate_token/v1

    Organization

    Set to the organization ID in the Adobe Admin Console.

    Group Mappings

    Leave empty unless you have a special case. For details, see Group Mapping.

  3. Locate Adobe Granite Bearer Authentication Handler configuration, and click  to edit it.

    Add the following Client IDs to the Allowed OAuth client ids configuration property: InDesignAem2, cc-europa-desktop_0_1, cc-europa-desktop_1_0, cc-europa-desktop_2_0, cc-europa-desktop_3_0, cc-europa-desktop_4_0, cc-europa-desktop_5_0, cc-europa-desktop_6_0, cc-europa-desktop_7_0, cc-europa-desktop_8_0, cc-europa-desktop_9_0, and cc-europa-desktop_10_0.

    To add each Client ID, click +. Click Save after adding all IDs.

  4. In Adobe Granite OAuth Application and Provider configuration, inspect the existing Adobe Granite OAuth Authentication Handler instances. If you locate an instance with the Config ID value of ims, use it for the instructions in this procedure. Otherwise, click + to create a configuration instance. Set the following property values and click Save.

    Property Name

    Value

    Client ID

    Do not change

    Client Secret

    Do not change

    Config ID

    ims

    Scope

    AdobeID, OpenID, read_organizations (other values may also be in the configuration)

    Provider ID

    ims

    Create users

    Checked (true)

    User ID Property

    Email for newly created configuration. Otherwise, do not change.

  5. Locate the Apache Jackrabbit Oak Default Sync Handler configuration with the Sync Handler Name ims and click  to edit it.

    Set the following configuration properties, and click Save.

    Property Name

    Value

    User Expiration Time and User Membership Expiration

    Time in minutes following by 'm' without space. For example, 15m for fifteen minutes. For details, see Group Mapping.

    User auto membership

    Do not change

    User Dynamic Membership

    Deselected (false)

  6. Locate the Adobe Granite OAuth Authentication Handler configuration and click  to edit it. Without making any changes, click Save.

  7. To adjust the relative priority of the bearer authentication handler, in CRXDE, navigate to /apps/system/config. Locate com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.config and open its configuration. At the end, add service.ranking=I"-10". Save the changes.

    Note:

    Each request authenticated with a bearer token incurs the overhead of three calls to Adobe IMS, user syncing, and the creation of a login-token in AEM. To overcome this overhead, Adobe Asset Link captures the login-token returned in the response from AEM and sends it with subsequent requests. For this process to work, the relative priority of the bearer authentication handler must be adjusted.

  8. (Optional) If AEM users have uppercase or mixed case domain names in their email IDs, select Change Locking User to Lower Case in Adobe Granite ACP Platform Configs in AEM Web Console.

Additional configuration after migration to Business Profiles

Adobe Asset Link users are able to connect to Experience Manager to allow IMS login from the main Creative Cloud for Enterprise (CCE) org. Experience Manager uses the client IDs to identify the permitted IMS organization. After migration to Business Profiles, it is required to configure the Client ID and Secret Key for the IMS org in Experience Manager for the Bearer Authentication Handler. For more information on Business Profiles, see introducing Adobe Profiles.

Additional configuration is required only if you are using different Adobe IMS organizations for Experience Manager and Creative Cloud for Enterprise (CCE), and a domain trust relationship is established between these two organizations.

Note:
  • The fix for Business Profiles is provided in Experience Manager 6.5.11.0 and extended fix in Experience Manager 6.4.8.4.
  • The existing configuration continues to work if you are using the same Adobe  IMS orgganization with Experience Manager and CCE.

Prerequisites    

  1. An up and running Experience Manager instance with Bearer Authentication configured for AAL.

  2. If you are on Experience Manager 6.4, upgrade to Experience Manager 6.4.8.4.
    If you are on Experience Manager 6.5, upgrade to Experience Manager 6.5.11.0.

  3. (Only for Experience Manager 6.4) Contact Customer Support to get the extended fix pack (EFP) for migration to Business Profiles. Install the EFP on your Experience Manager instance.

  4. Contact Customer Support to get the Client ID and Secret Key for Bearer Authentication of your IMS org.

 

Following are the additional configurations that are required after migration to Business Profiles:

  1. In Adobe Granite OAuth IMS Configuration Provider, set: 

    • OAuth Configuration ID (oauth.configmanager.ims.configid): ims (Verify once, you may have it already configured)

    • IMS Owning Entity (ims.owningEntity): Your IMS org id

  2. Open Bearer Authentication Handler configuration and add the Client ID obtained from Customer Support to the list of Allowed OAuth client ids.

  3. Open Adobe Granite OAuth Application and Provider configuration and add the Client ID and Client Secret (Secret Key) obtained from Customer Support.

    Ensure that the Config ID field (oauth.config.id) contains the same value as provided in OAuth configuration ID field (oauth.configmanager.ims.configid) above.

  4. Open Adobe Granite IMS Cluster Exchange Token Preprocessor configuration and set it to enable.

Manage user access control on AEM repository

This section describes how to manage users and their access to the AEM repository.

Group Mapping

Group mapping determines how groups in AEM correspond to groups in Adobe IMS. It plays an important role in how Adobe Asset Link users are granted permission to access AEM Assets.

When used with Adobe Asset Link, AEM delegates user management functions to Adobe IMS. AEM automatically creates users and groups that correspond to users and groups in Adobe IMS. In addition, AEM synchronizes users, groups, and group membership in AEM to match the ones in Adobe IMS.

For example, consider a scenario where Adobe Asset Link users are members of the Adobe IMS group assetlink-users. In this case, a synchronized group named assetlink-users is created in AEM when a user from that Adobe IMS group connects to Adobe Asset Link for the first time. Each new user in the Adobe IMS group is added to that corresponding group in AEM when they connect to AEM through Adobe Asset Link for the first time.

Groups in AEM that correspond to and are synchronized with groups in Adobe IMS can be granted access directly or by making them a member of another group in AEM. Here is an example of how permissions can be managed.

Group Examples
Example of group mapping in AEM and Adobe IMS

The following rules apply to group mappings in AEM:

  • Ensure that the Group Mappings property in Adobe Granite OAuth IMS Provider configuration is blank.
  • Adobe Asset Link user group membership is evaluated when the user authenticates and the time period in User Expiration Time property in Apache Jackrabbit Oak Default Sync Handler configuration has elapsed. Currently, users can be added to and removed from groups in AEM to synchronize with what is found in Adobe IMS.
  • Avoid group name conflicts. Ensure that the names used for groups created in Adobe IMS (to manage users) are different from all AEM system group names.
    For example, make sure that they are different from the dam-users group and the groups created by the AEM administrator.
    An Adobe IMS group whose name conflicts with the name of an AEM system group or manually created group are not used to control user permissions.
  • If an Adobe IMS user connects to an AEM instance, on which the user's name conflicts with a previously created AEM user, the Adobe IMS user is given another name with numbers added to make it unique.

Setup first-time access control

Users who connect through Adobe Asset Link can only view and interact with assets after they are granted the required permission. The Group Mapping section above discusses how are user groups created in AEM, which correspond to and are synchronized with user groups in your organization within Adobe IMS. It is recommended that the AEM administrators use these groups to manage access control for Adobe Asset Link users.

For each AEM group that is synchronized with an Adobe IMS group (which is used to manage user access control):

  1. Ensure that the group has a member that can be used for an initial connection from Adobe Asset Link.

  2. Use that user to log in to Adobe Asset Link, and connect to AEM. This connection is expected to fail.

  3. In AEM, locate the group that corresponds to the group in Adobe IMS, and grant it the desired access control. For example, the new group is made a member of the dam-users group.

  4. Close Adobe Asset Link and restart the Creative Cloud application.

  5. To verify that the user has the expected access, reopen Adobe Asset Link.

Once these steps are performed, other users in the same group can connect to AEM with Adobe Asset Link in their first attempt. They automatically have the same permissions as the other users in the group.

Adobe Asset Link users are able to connect with AEM when they are signed in to their Creative Cloud application. This authentication uses Adobe IMS technology and creates user information in AEM, if it does not exist. It is common for AEM enterprise customers to manage their users with an external identity provider that is integrated with AEM. Identity providers include Adobe IMS and other products that use the SAML and LDAP protocols. Alternatively, users can be created and managed locally in AEM.

Users who connect to AEM from Adobe Asset Link have no conflict with existing user information stored in AEM from previous direct sign-in, if:

  • All user names used for direct sign-in to AEM are different from user names used in Adobe IMS for Creative Cloud sign-in.
  • Adobe IMS is used as the identity provider for direct AEM sign-in.
  • Users connects to AEM from Adobe Asset Link before direct AEM sign-in with the same account.

On the other hand, the user information created as a result of direct AEM sign-in must be updated to work with Adobe Asset Link, in the following scenarios:

  • The same user name, such as the user’s Email address, is used for both—the account in Creative Cloud, which uses Adobe IMS, and the account in an external identity provider other than Adobe IMS.
  • The same user name is used for both—the account in Creative Cloud and a local AEM account.
  • The Creative Cloud accounts in Adobe IMS are Federated IDs, which are served by the same external identity provider that is integrated with AEM for direct sign-in.

AEM users created through these scenarios do not have a property that is required for users, which are synchronized with Adobe IMS. To update such users in AEM to work with Adobe Asset Link:

  1. In the AEM web console, locate Apache Jackrabbit Oak External PrincipalConfiguration configuration and click  to edit it. Deselect the External Identity Protection check box, and click Save.

  2. To access User Management interface of AEM, navigate to Tools > Security > Users. Select the user you want to update, then make a note of the end of your browser’s URL path for that user, starting with /home/users. Alternatively, you can search for the user name using AEM CRXDE. The user path looks something like /home/users/x/xTac082TDh-guJzzG7WM.

  3. Use AEM CRXDE to navigate to the user path, select the user node, and view the properties of the node by selecting the Properties tab in the lower-middle area. This node has a jcr:primaryType property value of rep:User.

  4. At the bottom of the Properties tab area enter a Name value of rep:externalId, Type value of String, and a Value value of <rep:authorizableId>;ims, where <rep:authorizableId> is the value of the rep:authorizableId property of the node. (A semicolon is used with no spaces to separate the rep:authorizableId value from ims.)

  5. Click the Add button to the right of your new entry, and then click Save All in the upper left corner of the browser window, or press Command + S / Ctrl + S.

  6. Repeat steps 2 through 5 for any other users you want to upgrade to work with Adobe Asset Link.

  7. With the AEM web console, locate Apache Jackrabbit Oak External PrincipalConfiguration configuration and click  to edit it. Deselect the External Identity Protection check box, and click Save.

    Note:

    If the services are not restored in a few minutes, restart AEM to allow successful authentications.

After this change, an updated AEM user can connect with Adobe Asset Link and continues to be able to use the method of direct sign-in to AEM that was used before the update. On successful authentication with Adobe IMS, the AEM user profile information is synchronized with the user profile in Adobe IMS.

There is a method by which a bulk migration of multiple AEM users can be performed to enable them to work with Adobe Asset Link. Contact Adobe Care for more information and assistance with enabling this option.

As an alternative to the steps, in certain circumstances, an Adobe Asset Link user may be provided quick access to AEM. These are cases where the pre-existing user information is found and deleted with AEM User Management or AEM CRXDE prior to their connection with Adobe Asset Link. New user information is created in AEM following the connection. Use this approach only if you are certain that there is no important data that is added as a child of the user node. Such extra data is any node that is the child of the user node other than tokens, preferences, profile, profiles, profiles/public, and rep:policy/* nodes.

Auto-start workflow to process assets conditionally

In Experience Manager 6.4 and Experience Manager 6.5, the administrators can configure workflows to automatically execute and process assets based on pre-defined conditions.

This configurations is useful for line-of-business users and marketers, for example, to create a custom workflow on a few specific folders. Say all assets from an agency's photoshoot can be watermarked or all assets uploaded by a freelancer can be processed to create specific renditions.

For more information and for Experience Manager configuration, see auto-execute workflow on assets.

Generate For Placement Only renditions for Adobe InDesign

When placing large-sized assets from AEM into Adobe InDesign documents, a creative professional must wait for a substantial time after they place an asset. Meanwhile, the user is blocked from using InDesign. This interrupts creative flow and negatively impacts the user experience. Adobe enables temporarily placing small-sized renditions in InDesign documents to begin with. When the final output is required, say for print and publishing workflows, the original, full-resolution assets replace the temporary rendition in background. This asynchronous update in the background speeds up the design process to enhance productivity and doesn't hinder the creative process.

AEM provides renditions that are used for placement only (FPO). These FPO renditions have a small file size but are of the same aspect ratio. If an FPO rendition is not available for an asset, Adobe InDesign uses the original asset instead. This fallback mechanism ensures that the creative workflow proceeds without any breaks.

Approach to generate FPO renditions

AEM allows many methods to process images that can be used to generate the FPO renditions. The two most common methods are to use in-built AEM workflows and to use ImageMagick. Using these two methods, you configure rendition generation of newly uploaded assets and of the assets that exist in AEM.

You can use ImageMagick to process images, including to generate FPO renditions. Such renditions are downsampled, that is, the pixel dimensions of the rendition are proportionally reduced if the original image has PPI larger than 72. See install and configure ImageMagick to work with AEM Assets.

 

Using AEM's in-built workflow

Using ImageMagick workflow

Remarks

For new assets

Enable FPO rendition (help)

Add ImageMagick command-line in AEM workflow (help)

AEM executes the DAM Update Assets workflow for every upload.

For existing assets

Enable FPO rendition in a new, dedicated AEM workflow (help)

Add ImageMagick command-line in a new, dedicated AEM workflow (help)

FPO renditions of the existing assets can be created on-demand or in bulk.

Caution:

Create the workflows to generate renditions by modifying a copy of the default workflows. It prevents your changes from being overwritten when AEM is updated, say by installing a new service pack.

Generate renditions of new assets using AEM workflow

To configure DAM Update Asset workflow model to enable rendition generation, follow these steps:

  1. Click Tools > Workflow > Models. Select DAM Update Asset model and click Edit.

  2. Select Process Thumbnails step and click Configure.

  3. Click FPO Rendition tab. Select Enable FPO rendition creation.

    Enable FPO rendition creation in Process Thumbnail workflow.
    Enable FPO rendition creation in Process Thumbnail workflow

  4. Adjust the Quality and add or modify Format List values as required. By default, the list of MIME types to generate the FPO rendition is pjpeg, jpeg, jpg, gif, png, x-png, and tiff. Click Done.

    Note:

    Rendition generation is supported for file types JPEG, GIF, PNG, TIFF, PSD, and BMP.

  5. To activate the changes, click Sync.

Note:

Images larger than 1280 pixels on one side do not retain the pixel dimensions in the FPO rendition.

Generate renditions of new assets using ImageMagick

In AEM, DAM Update Asset workflow executes when a new asset is uploaded. To use ImageMagick to process renditions of newly uploaded assets, add a new command to the workflow model.

  1. Click Tools > Workflow > Models. Select DAM Update Asset model and click Edit.

  2. Click Toggle Side Panel in the upper left corner. Search for command line step.

  3. Drag the Command Line step and add it before the Process Thumbnails step.

  4. Select Command Line step and click Configure.

  5. Add the desired information as custom Title and Description. For example, FPO rendition (powered by ImageMagick).

  6. In the Arguments tab, add relevant Mime Types to provide a list of file formats on which the command applies.

    Set MIME types on which the ImageMagick command applies.
    Set MIME types on which the ImageMagick command applies.

  7. In the Arguments tab, in the Commands section, add a relevant ImageMagick command to generate FPO renditions.

    Below is an example command that generates FPO renditions in JPEG format, downsampled to 72 PPI, at 10% quality setting, and handles multi-layered Adobe Photoshop files by flattening the output:

    convert -quality 10% -units PixelsPerInch ${filename} -resample 72 -flatten cq5dam.fpo.jpeg
  8. To activate the changes, click Sync.

For detailed information on ImageMagick command line capabilities, see https://imagemagick.org.

Generate renditions of existing assets using AEM workflow

To use AEM workflow to generate FPO rendition of the existing assets, create a dedicated workflow model that uses the in-built FPO rendition option.

  1. In AEM, click Tools > Workflow > Models. To create a model, click Create > Create Model. Add a meaningful Title and a Name.

  2. Select the model and click Edit. Click Page Information > Open Properties. Select Transient Workflow. This improves scalability and performance. Click Save and Close.

  3. Click Toggle Side Panel in the upper left corner. Search for process thumbnail step. Drag the Process Thumbnails step.

  4. Select Process Thumbnails and click Configure. Follow the configuration to generate rendition of new assets using AEM workflow. To activate the changes, click Sync.

Generate renditions of existing assets using ImageMagick

To use ImageMagick processing capabilities to generate FPO rendition of the existing assets, create a dedicated workflow model that uses the ImageMagick command line to do so.

View FPO renditions

You can check the generated FPO renditions after the workflow completes. In AEM Assets user interface, click the asset to open a large preview. Open the left rail and select Renditions. Alternatively, use the keyboard shortcut Alt + 3 when the preview is open.

Click FPO rendition to load its preview. Optionally, you can right click the rendition and save it to your file system.

Check for available renditions in left rail.
Check for available renditions in left rail.

Tips and limitations

  • To use ImageMagick-based configuration, install ImageMagick on the same machine as AEM.
  • To generate FPO renditions of many assets or of the entire repository, plan and execute the workflows during low-traffic duration. Generating FPO renditions for a large number of assets is a resource-intensive activity and the AEM servers must have sufficient processing power and memory available.
  • For performance and scalability, see Fine-tune ImageMagick.
  • For generic command line handling of assets, see command line handler to process assets.

Create a custom index in AEM 6.4.x versions

AEM contains indexes that are used for querying. Create the following custom index for specified version. AEM 6.5.0 contains this index by default. Adobe Asset Link requires this to determine which assets a user has checked out.

  1. In CRXDE, locate /oak:index node. Create a new node named cqDrivelockSet its Type to oak:QueryIndexDefinition.

  2. Add the following properties to the new node and save the changes:

    • Name: type; Type: string; Value: property
    • Name: propertyNames; Type: Name[] (click the "Multi" button); Value: cq:drivelock

Integrate with Adobe Stock

Organizations integrate their Adobe Stock accounts with AEM Assets. It helps marketers to make licensed high-quality, royalty-free photos, vectors, illustrations, videos, templates, and 3D assets available for their creative and marketing projects. Creative professionals can use these assets using the Asset Link panel.

To Integrate with Adobe Stock, see Adobe Stock assets in AEM Assets. AEM 6.4.2 or later is required for integration with Adobe Stock.

Configure visual or similarity search

Visual Search capability allows you to search for visually similar assets in the AEM Assets repository, using the Adobe Asset Link panel. The functionality is available in 6.5.0 or later versions and only the indexed assets are searched. For more info, see how to configure visual search.

Troubleshoot AEM-related issues

If you face issues when configuring or using Asset Link, try the following:

  • Ensure that your deployment meets the prerequisites. Specifically, ensure that the appropriate feature packs or packages are installed.
  • Contact your organization's partner or system integrator.
  • If your Creative Cloud users are unable to check in the checked out assets, then check for issue because of casing of domain names in the email IDs. To fix, see AEM manual configuration.
  • For more info, see troubleshoot Asset Link.

Get help faster and easier

New user?