Single Sign-On with Adobe and Microsoft AD/AAD

Single sign-on (SSO) promises improved user comfort, reduced IT effort and increased security. For Adobe Cloud Services, SSO can be implemented in conjunction with the local Microsoft Active Directory or the cloud-based Azure Active Directory. We will show you both ways and how you can implement them.

Adobe and Microsoft have had a strategic partnership for years. Both manufacturers are leaders in their field and are increasingly moving their products to the cloud. And the more cloud services companies use, the more complex it becomes to manage users. because every service requires its own login. As a result, administrators have to manage a huge number of accounts. They have to make sure that every user has the appropriate access rights and need to set up corresponding accesses when on-boarding and block them again when off-boarding. In addition, they have to prevent the growth of accounts and user names or crackable password combinations.

Single sign-on (SSO) offers user authentication via a central service. Users can then automatically log in to many different cloud services with the same login information and no longer have to remember endless variants of access data. This not only simplifies the work for users, but also for administrators, and it increases security. It reduces the number of accounts to be managed because management is carried out via a central console.

SSO can be implemented particularly conveniently in conjunction with the local Microsoft Active Directory (AD) or the cloud-based Azure Active Directory (AAD). This is because administrators can extend the central user administration that they already use in the Microsoft network to the Adobe services.

Requirement: Federated ID

Adobe's licenses are no longer device-based, but user-based - and to assign users to the licenses, there are three different ID types: the Adobe ID, the Enterprise ID and the Federated ID. To implement SSO for Adobe services, companies need a so-called Federated ID. What is behind it? With the Federated ID, the password information is stored locally in the company or in a corresponding identity provider service. This means that Adobe does not have any access data. If you are still using the Enterprise ID or even individual Adobe IDs, you should change the ID type first.

1. Active Directory (AD) On-Premises

The Active Directory is used to manage users, applications, devices, file services and other resources in the local Windows network. However, the AD was not designed to manage web-based services. To perform SSO with the AD, two components are required: the Adobe User Sync Tool and an identity provider. The Adobe User Sync Tool connects the AD with the Adobe directory service and synchronizes the two automatically. In this way, Adobe user management can also be integrated into existing user lifecycle processes.

If, for example, a new employee comes into the company who needs an Adobe license, this is configured in an identity management system (IDM) and the license is provided automatically.

The identity provider (IDP) is responsible for the actual SSO. It is a service that is either installed locally or can be used as a cloud service. The IDP is connected between the user systems and the Adobe Cloud and takes over the authentication. To do this, a server must be configured that has access to the local AD and on which the users can log in via their systems.

2. Azure Active Directory (AAD)

The Azure Active Directory was specially developed for web-based services and is used for user management of all Microsoft Cloud Services. Anyone who uses Office 365, SharePoint or Exchange Online therefore uses the AAD anyway. With the AAD, SSO is much easier to implement than with the AD. Customers do not need a sync tool, nor do they need to install an additional IDP.

Because the AAD is usually already automatically synchronized with the local AD via the Microsoft Azure AD Connect it also takes on the role of the IDP itself. The AAD can communicate directly from cloud to cloud with the Adobe Cloud directory service. To establish the connection, all you have to do is set up the Azure AD Connector that Adobe provides. The connection is configured in a few minutes using an assistant.

If you mostly have security concerns in the cloud, you should implement SSO with local AD. This way, the access data remains on-premises and administrators retain full control. However, you also accept a higher technical effort.

For companies that already use Microsoft Cloud Services like Office 365 or plan to do so, the AAD connection is the better way. This makes it much easier to implement SSO and reduce IT management efforts in the long term. This variant is also recommended when looking towards the future because AAD can not only act as an IDP for the services of Microsoft and Adobe, but also for the cloud services of many other providers.

If you are still unsure which way you should choose, we will be happy to advise you and support you with the implementation through these services:

Consulting / Advisory: Analysis of the current situation, determination of the individual requirements, overview of efforts and costs of possible implementations

Deployment: AD connection, installation and setup of the Adobe User Sync Tool and ADFS

License management: Support for all aspects of Adobe licensing and ID issues, conversion of the ID model and maintenance as well as optimization of Adobe licenses

Cloud migration: SoftwareONE is a Microsoft Azure Expert MSP partner and offers suitable service packages and comprehensive support for an Azure migration (strategy development, implementation and optimization as well as administration and cost control)