Table of contents
8 September 2014
User level: All
Required Adobe products (retail)
Note: If you have questions about this article, use the DPS forum. Please don’t contact technical support with questions about Adobe Developer Connection articles.
Adobe offers many products and services to Enterprise customers. In the case of Digital Publishing Suite (DPS), you do not have to be a large organization in order to reap the benefits of an Enterprise DPS account, and many small companies use DPS Enterprise for their internal and external projects. When large organizations purchase Creative Cloud subscriptions, however, they typically purchase under the Creative Cloud for Enterprise program or CCE. CCE has several deployment models to suit different Enterprise IT requirements, and not all those methods are supported in DPS. This article provides a set of best practices for CCE customers who want to also use DPS.
DPS depends on Adobe IDs in order to provide Enterprise customers with access to DPS tools and services. Adobe IDs are tied to unique email addresses, and they can be tied to an individual contributor or to a role. An individual contributor might be a personal email within a company, whereas a role email might be a distribution list with a form like email@example.com or firstname.lastname@example.org. Adobe recommends that companies establish role-based Adobe IDs when they set up their DPS account. This allows the company to manage these IDs better when employees leave the company or new hires join a team. You can learn more about DPS account provisioning here.
CCE has several deployment models that are designed to fit the requirements of IT organizations. These models include the following (Learn more here):
- Anonymous deployment with Serial Numbers
- Named User with Adobe ID
- Named User with Enterprise ID
IT departments use Anonymous deployment to deploy pre-serialized copies of Creative Cloud applications to users’ computers within the company. This method does not require Adobe IDs when the user starts an application, but the users cannot use the Cloud-based services that Adobe offers, such as Creative Cloud Files or Behance. In order to use these services and other Cloud-based services, users need to identify themselves. Companies often choose Anonymous deployment when they want to use software in an environment where many users might need to use a specific workstation, such as in a learning laboratory or in a print shop with multiple shifts. This method is familiar to most IT organizations, and it is the method used to deploy Creative Suite and Acrobat for a long time.
Named User deployment allows an Enterprise to centrally manage users, and in some cases, to grant access to Creative Cloud tools and services to specific users. There are two kinds of Named Users: those using Adobe IDs and those using Enterprise IDs. In both cases, IT administrators use Enterprise Dashboard tool to add the users to their account, and in some cases, to manage which tools and services are available to those users. The Enterprise Dashboard is a portal to an Adobe managed identity system for Enterprise customers. Just like how DPS Account Management dashboard is used to add an Adobe ID to a DPS account, the Enterprise Dashboard allows an IT administrator to add Adobe IDs to the Creative Cloud Enterprise Account.
When using Adobe IDs, the end-user creates a new Adobe ID or uses an existing Adobe ID, and the administrator adds it to the Enterprise Dashboard. An administrator can add any Adobe ID to the Enterprise Account: employees and freelancers can be added or removed, depending on the Enterprise needs. Once added, the named users can log into Creative Cloud, install the software and use the cloud services, just like anyone who purchased a Creative Cloud subscription from adobe.com. These named users would be using Adobe IDs, just like the Adobe IDs used to log in to DPS and other Adobe services. This is convenient for companies who want their users to be able to deploy and manage their own software on their computers, but some companies want better control as to which software is available to specific users.
The alternative to Adobe ID is Enterprise ID. Enterprise ID is convenient for companies who want to manage the identity of their pool of users rather than having users create their own Adobe IDd. The Enterprise can add users to the Enterprise Dashboard as Enterprise users and provision those Enterprise IDs with tools and services. This sounds like an Adobe ID, but it is fundamentally different – the Enterprise controls the account, not the user. In the Adobe ID case, the user has control of their account and will keep that Adobe ID, even if they leave the organization. They will lose access to Creative Cloud tools and Services if the Enterprise removes them from the Enterprise Dashboard. However, they can always purchase CC on their own using their Adobe ID. Enterprise IDs are controlled by IT, and they can rescind the ID at any time or change the assignment of tools and services. The user with that ID has no control over which Tools and Services are available to them. It is important to note that DPS uses Adobe IDs and does not currently support Enterprise IDs. We will explore the implications of this distinction later in the article.
There are several ways to manage Enterprise IDs, but in all cases, IT Administrators must enter IDs in the Enterprise Dashboard. This provides fine-grained control over which specific users can access Creative Cloud tools and services. However, it does not prevent a user who is outside of the pool of named users from creating an Adobe ID and using that Adobe ID separate from the Enterprise account. Note that while the email addresses may be the same, the Identities are NOT the same and will likely have access to different Adobe Tools and Services. In addition, it is possible for a company to claim a domain, which means that any Enterprise ID that is associated with an email address within the domain will not be able to purchase additional services or use free services that are disallowed by the Enterprise IT policies. This is a powerful tool for companies who want an easy way to ensure that only provisioned employees can use Creative Cloud tools and services. If a user attempts to login and is not provisioned in the Enterprise Dashboard, the user will be unable to install or use Creative Cloud tools or services.
Some customers prefer to bring their own identity management system rather than use Adobe’s system. For those customers, Adobe will provide Single Sign On or SSO, that allows the Enterprise to maintain control of the users’ identities within their own Enterprise identity management system such as LDAP or Active Directory. IT administrators still provision users in the Enterprise Dashboard, but identities will be validated by the Enterprise’s identity management system using the SAML 2.0 protocol. In this method, the Enterprise controls users and groups centrally and uses the Enterprise Dashboard to provision accounts for Creative Cloud tools and services. SSO managed identities are functionally the same as the Enterprise IDs that we saw in the previous example. Rather than the IT administrator needing to manage identities in two systems, the IT administrator manages identities in one system and then extends access to CCE users in the Enterprise Dashboard. This method is currently under development and is slated to be available in the first half of 2015.
Recall that at this time, DPS uses Adobe IDs, not Enterprise IDs. If a customer uses only Adobe ID-based Named User accounts, there is no conflict. The same account can be used for DPS and CCE, because both services use Adobe ID. What happens if a DPS customer decides to use CCE and opts for Claimed Domain and therefore Enterprise IDs? Generally, what should a company with a DPS Enterprise account do, and wants to continue to use the account after enabling Enterprise ID with CCE?
Adobe allows existing Adobe IDs to remain in place after a domain is claimed, but it currently does not allow an email address to exist both as an Enterprise ID and an Adobe ID. If you were to create Adobe IDs for your DPS account using the recommended role-based Adobe IDs such as email@example.com and firstname.lastname@example.org, then so long as you do not create any Enterprise IDs for these role-based email addresses, those users will still be able to access DPS services without any issue. However, these role-based accounts will not be able to access Creative Cloud tools and services. Individual email addresses associated with Enterprise IDs, such as email@example.com or firstname.lastname@example.org would not be able to use DPS, but they would be able to use Creative Cloud tools and services in accordance with their provisioning in the Enterprise dashboard.
This means that with careful planning, it is possible to create a set of role-based Adobe IDs in advance of enabling a Claimed Domain, which will prevent any collision between the two types of IDs. Remember that it is common for a user to log into Creative Cloud as one user to use InDesign to create articles for DPS, but they often log into the Folio Builder panel as a different user. If it is necessary to create new Adobe IDs for DPS after claiming a domain or using SSO, then it will be necessary to ensure that those email addresses are not associated with any existing Enterprise IDs.
Eventually, Adobe plans to allow a single email address to be used as both an Enterprise ID and an Adobe ID. When available, this will alleviate any conflict between users who want to use DPS as individual contributors and users who exist in a claimed domain.
Enterprise Creative Cloud customers have choices with respect to how they manage users. While Named User deployment can provide many benefits to IT organizations for managing Creative Cloud users, care must be taken to not exclude the Adobe IDs that are designated for use with DPS. Until Adobe permits email addresses to be simultaneously Enterprise IDs and Adobe IDs, DPS customers should create Adobe IDs for DPS use first, and then enable Enterprise IDs through Claimed Domains.
Comments are currently closed as we migrate to a new commenting system. In the interim, please provide any feedback using our feedback form. Thank you for your patience.