User Guide Cancel

Education Deployment Simple Setup

This page will guide you through setting up the Adobe Admin console with a "simple setup." In a simple setup, Adobe Federated Accounts are created on their first login, and licenses are assigned to users just in time. 

This guide covers typical setups for both K-12 (Primary and Secondary) and Higher Education

Simple Setup – Using JIT Rules

This simple method enables users to log in and access apps with no additional configuration. There is no directory sync, so this config will not disable users in the Adobe directory. If a user is disabled or deleted from the identity platform, they cannot log in to their federated account.

Organizations can enhance their setup with a User sync or Roster sync following this simple setup.

Steps 1 to 4 have been completed for K-12 organizations that used the K-12 Onboarding Wizard to set up their Adobe Admin Console. 

Syncing Users Setup 

Simple Setup Steps

  1. Create a Directory
  2. Configure Federated Directory
  3. Claim Domains
  4. Enable Product Access Rules (Automatic License Assignment)
  5. Advanced Product Access Rules Self-Service (URL Controlled) - Optional

Video Setup Guides

Adobe Express for K-12 with Just-in-Time account creation and license management. These video guides explain the process of creating a directory and setting up license management, which are also relevant to Higher Education administrators.

  1. Create a Directory

    Adobe Admin Console > Settings > Create Directory

    A wizard will guide you through. On the first screen, provide a name for this directory. This name is for internal use and is not exposed to your end users.

    If you cannot create a directory, visit Products > Select "Get Started" with Adobe Express for K-12 or Creative Cloud Shared Device Access License.

    A screenshot of the Create Directory wizard with a text box for the name of the directory and two cards one for Federated ID and the other for Enterprise ID. The Federated ID card is selected.

  2. Configure a Federated Directory

    Selecting Federated Directory will trigger a wizard. You are presented with three options: Microsoft Entra, Google SAML, or Custom SAML.

    A screenshot of the create federated directory wizard displaying the options for Azure, Google and Other SAML

    Each flow will guide you through the required steps in your external Identity Platform. On the SSO confirmation screen, keep the Enabled setting for Auto-Account Creation.

    A screenshot of the Adobe Admin Console directory confirmation screen highlighting auto-account creation enabled.

    This will create a federated user automatically on their successful login.

    Tip:

    For Continue with Google to function, add the following ClientID 1014431251553-kq98rctnjtv76ag4ulrfkem43b74poni.apps.googleusercontent.com with the following steps.

    1. Google Admin Console > Security > Access and Data Controls > API Controls Manage Third-Party Apps 
    2. https://admin.google.com/ac/owl/list?tab=configuredApps
      Add App > Search by name or Client ID
    3. Paste the above Client ID 
    4. Search
    5. Select the Adobe App
    6. Enable it for the entire org
    7. Select Trusted
  3. Claim Domains

    Once your federated directory is created, you must add domains to it. With Entra or Google, you can log in with your admin account. The domains claimed in these platforms will be available to add to the directory. If you don’t have access to Microsoft or Google Admin accounts, you can prove domain ownership with a DNS text record.

    A screenshot of an admin claiming domains in the adobe admin console

    Google Policy Enforced Preventing validating domains?

    If you are blocked during the domain claim process with Google due to an API add the following Client ID 880547366666-6dhr4mqsutv0a98arjksgflfh02kgp98.apps.googleusercontent.com with the following steps.

    1. Google Admin Console > Security > Access and Data Controls > API Controls > Manage Third-Party Apps
      https://admin.google.com/ac/owl/list?tab=configuredApps
      Add App > Search by name or Client ID
    2. Paste the above Client ID 
    3. Search
    4. Select the Adobe App
    5. Enable it for the entire org
    6. Select Trusted

    It can take up to 20 minutes for the Google API to update the permissions.

  4. Enable Product Access Rules (Automatic License Assignment)

    Adobe Admin Console > Products > Product automation rules

    Select a Product and Product Profile

    A screenshot of creating a product access rule by selecting a product and a product profile.

    The option enables admins to select specific directories or domains and the following ways to gain their license;

    1. Automatic Assignment - On user login
    2. On visiting a specific URL and authenticating. 

    Note:- This URL can be re-generated if required.

    A screenshot of a product assignment rule confirmation page with on-demand or URL access selected.

    Share Quick Login URL with users

    For Adobe Express, share a specific URL with your users. This URL will trigger an SSO login to your primary IDP configured in the directory that owns the domain.

    The URL format is 
    https://new.express.adobe.com/a/domain.org 
    Replace domain.org with a registered of the domains in the directory.

    A computer screen shot of a colorful backgroundDescription automatically generated


    Pin THE Adobe Express SSO Launch URL to the taskbar of a Chromebook

    Google Workspace Admins Only

    In the Google Admin Console > Apps & Extensions https://admin.google.com/ac/chrome/apps/user add the following as a URL:

    https://new.express.adobe.com/chrome-tab/a/domain.org
    Replace domain.org with a domain claimed in your Admin Console federated directory.

    To pin to the taskbar, select Force install + Pin to ChromeOS taskbar.

    • If multiple domains are registered in your federated directory, use any one of the domains.
    • If you have multiple directories, you must create a link for each directory using any one of the domains owned by that directory.
  5. Advanced Product Access Rules Self-Service (URL Controlled) - Optional

    Create a product profile for each product assignment rule.

    This will enable the monitoring of usage of the auto-assignment rule or URL.

    To control and enable on-demand licensing for paid products, such as Creative Cloud All Apps or Adobe Express for Higher Education.
    Note:- Adobe Express for K-12 and Shared Device Access licenses are Free.

    The product access automation feature provides an option for a unique URL; when users visit the URL and authenticate, they are assigned a license based on the associated product profile.

    In the Adobe Admin Console > Products

    Select a Product, For Example, All Apps

    Select New Profile 

    Identify the product profile with a unique name

     

    Create a new product profile for the specific license type and provide a name—this name should differ from any other product profile or group name.

    A screenshot of a computerDescription automatically generated

    In this example,  the profile name is, All Apps Students Semester A 25 

    A screenshot of a computerDescription automatically generated

    Set the quota of licenses available for use in this profile.
    For ETLA Customers, please see the note below.

    Alert:

    The quota will not be enforced if your contract type is ETLA.

    VIP customer product profile quotas will be enforced.

    If multiple product profiles of the same product are assigned to a single user, this will consume multiple licenses.

    Create a new Product License Assignment Rule

    • Adobe Admin Console > Products > Product access automation > Automatic assignment rules
    • Select Add product
    • Select the product All Apps for K-12
    • Select the product profile All Apps Students Semester A25
    • Select Next
    A screenshot of creating a product assignment rule with All Apps for K-12 and Alll Apps Students Semester A 25 selected

    Select All users in this organization

    If you have multiple directories or domain you can select based on these criteria.

    A screenshot of the product assignment wizard with all users in the organisation selected. The other option is for users in selected directories or domains.

    Select URL access only

    This will require users to authenticate with this URL. This URL can be updated without creating a new rule.

    A screenshot of the product assignment wizard with the URL-only access option selected. The option not selected is the item On-demand or URL Access

    Monitoring of URL-assigned licenses 

    When users access the product via this rule, the license assignment will be visible at the product profile level.

    Adobe Admin Console > Products > Select the specific Product > Select the Product Profile

    A screenshot of the product profile showing the users that are licensed by this profile.

    Create a new rule for each semester

    To monitor license assignments, create a new product profile and assignment rule for each semester.

    Removing licenses assigned to users will not delete assets. 

    Licenses can be removed from users without impacting their cloud assets

    Removing all licenses assigned to a user will not delete their cloud docs, the user assets become read-only at https://assets.adobe.com

    Some organizations remove all licenses at the end of the academic year and rely on license assignment rules/URLS to manage the on-demand license access.


Additional Setup Options

Adding User Sync

Organizations can move from a simple setup (JIT account creation and license assignment) to a user sync with the following steps;

For organizations with Azure

Adobe Admin Console > Settings > Directory > Add Sync > Select Azure

Select Sync from the directory settings, add sync, select Azure, and follow the wizard.

Azure Sync Guide

For organisations with Google Workspace

To configure user sync when you have a Google simple setup. The first step is to add Google SAML as a secondary Authentication provider; this is a required setup for configuring the Google Sync App.

Adobe Admin Console > Settings > Directory > Add new idp > Select Google

Once the Google SAML authentication has been completed.

Google SAML Guide

Adobe Admin Console > Settings > Directory > Add Sync > Select Google

select Sync from the directory settings, Add Sync, select Google, and follow the wizard.

Google Sync Guide

Roster Sync (K-12 US)

Roster your users and assign licenses from Clever or Classlink

Adobe Admin Console > Settings > Directory > Add Sync > Select Sync users from an education portal

Rostering with Clever or Classlink Guide (K-12 US)


Simple Education Setup Video Guides

Azure Example Setup

Walkthrough the setup of Adobe Express with Just in time licenses provisioning and account creation with Azure.

 

Google Example Setup

Walkthrough the setup of Adobe Express with Just in Time licenses provisioning and account creation with Google.

Get help faster and easier

New user?