AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.
Adobe Asset Link (AAL) streamlines collaboration between creatives and marketers in the content creation process. It connects Adobe Experience Manager Assets with Creative Cloud desktop apps Adobe InDesign, Adobe Photoshop, and Adobe Illustrator. The Adobe Asset Link panel allows creatives to access and modify content stored in AEM Assets without leaving the creative apps they are most familiar with.
To configure Experience Manager Assets to be used with Asset Link, implement the following tasks. Use Experience Manager administrator account to do the configuration:
Install the packages as required. Details are in prerequisites.
Configure Experience Manager either manually or using a package.
To map Creative Cloud licensed users with Experience Manager users, manage user access control.
Create custom query index, configure FPO renditions for InDesign and configure Adobe Stock integration.
Ensure that you install the appropriate service pack and package as necessary. See the following requirements for each Experience Manager version and for specific capabilities.
Assets capability | Experience Manager version and requirements for support |
---|---|
Asset Link works by default | Experience Manager 6.4.4 and 6.4.6 or later. Adobe recommends installing the latest Experience Manager service pack (SP) before using AAL. |
Asset Link works after installing a package | For Experience Manager 6.4.0 - 6.4.3, install adobe-asset-link-support package. |
Adobe Stock integration | Experience Manager 6.4.2 or later |
Visual or Similarity search | NA |
Adobe recommends that you install adobe-asset-link-config configuration package to automate most of the configuration tasks, followed by a few manual tasks. Alternatively, you can configure manually.
If your Experience Manager instance is configured for user login with Adobe IMS accounts, do not use the configuration package. Instead, manually configure your Experience Manager instance.
To open Package Manager, in Experience Manager web interface, access Tools > Deployment > Package Share. Install adobe-asset-link-config
package.
Access Tools > Operations > Web Console. Locate Adobe Granite OAuth IMS Provider configuration, and click to edit it.
Set the following properties and save the changes.
Locate Adobe Granite Bearer Authentication Handler configuration, and click to edit it.
Add InDesignAem2 Client IDs to the Allowed OAuth client ids configuration property.
Manually configure Experience Manager if you choose not to use a configuration package or if your Experience Manager deployment is configured to support user login with Adobe IMS accounts.
To manually configure Experience Manager:
To access the configuration manager, access Tools > Operations > Web Console. Select OSGi > Configuration from the menu at the top.
Locate the Adobe Granite OAuth IMS Provider configuration and click to edit it.
Set the following configuration and click Save.
https://ims-na1.adobelogin.com/ims/authorize/v1
https://ims-na1.adobelogin.com/ims/token/v1
https://ims-na1.adobelogin.com/ims/profile/v1
https://ims-na1.adobelogin.com/ims/validate_token/v1
Locate Adobe Granite Bearer Authentication Handler configuration, and click to edit it.
Add the following Client IDs to the Allowed OAuth client ids configuration property: InDesignAem2, cc-europa-desktop_0_1, cc-europa-desktop_1_0, cc-europa-desktop_2_0, cc-europa-desktop_3_0, cc-europa-desktop_4_0, cc-europa-desktop_5_0, cc-europa-desktop_6_0, cc-europa-desktop_7_0, cc-europa-desktop_8_0, cc-europa-desktop_9_0, and cc-europa-desktop_10_0
.
To add each Client ID
, click +
. Click Save after adding all IDs.
In Adobe Granite OAuth Application and Provider configuration, inspect the existing Adobe Granite OAuth Authentication Handler instances. If you locate an instance with the Config ID
value of ims
, use it for the instructions in this procedure. Otherwise, click +
to create a configuration instance. Set the following property values and click Save.
ims
AdobeID, OpenID, read_organizations
(other values may also be in the configuration) ims
Checked
Email
for newly created configuration. Otherwise, do not change.Locate the Apache Jackrabbit Oak Default Sync Handler configuration with the Sync Handler Name ims
and click to edit it.
Set the following configuration properties, and click Save.
15m
for 15 minutes. For details, see Group Mapping. Deslect
Locate the Adobe Granite OAuth Authentication Handler configuration and click to edit it. Without making any changes, click Save.
To adjust the relative priority of the bearer authentication handler, in CRXDE, navigate to /apps/system/config
. Locate com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.config
and open its configuration. At the end, add service.ranking=I"-10"
. Save the changes.
Each request authenticated with a bearer token incurs the overhead of three calls to Adobe IMS, user syncing, and the creation of a login-token in Experience Manager. To overcome this overhead, Adobe Asset Link captures the login-token returned in the response from Experience Manager and sends it with subsequent requests. For this process to work, the relative priority of the bearer authentication handler must be adjusted.
(Optional) If the Experience Manager users have uppercase or mixed case domain names in their email IDs, select Change Locking User to Lower Case in Adobe Granite ACP Platform Configs in Experience Manager Web Console.
Adobe Asset Link users are able to connect to Experience Manager to allow IMS login from the main Creative Cloud for Enterprise (CCE) org. Experience Manager uses the client IDs to identify the permitted IMS organization. After migration to Business Profiles, it is required to configure the Client ID and Secret Key for the IMS org in Experience Manager for the Bearer Authentication Handler. For more information on Business Profiles, see introducing Adobe Profiles.
Additional configuration is required only if you are using different Adobe IMS organizations for Experience Manager and Creative Cloud for Enterprise (CCE), and a domain trust relationship is established between these two organizations.
Prerequisites
An up and running Experience Manager instance with Bearer Authentication configured for AAL.
Upgrade to Experience Manager 6.4.8.4
Contact Customer Support to get the extended fix pack (EFP) for migration to Business Profiles. Install the EFP on your Experience Manager instance.
Contact Customer Support to get the Client ID and Secret Key for Bearer Authentication of your IMS org.
Following are the additional configurations that are required after migration to Business Profiles:
In Adobe Granite OAuth IMS Configuration Provider (com.adobe.granite.auth.ims.impl.ImsConfigProviderImpl
), set:
OAuth Configuration ID (oauth.configmanager.ims.configid
): ims
(Verify once, you may have it already configured)
IMS Owning Entity (ims.owningEntity
): Your IMS org id
Open Bearer Authentication Handler configuration and add the Client ID obtained from Customer Support to the list of Allowed OAuth client ids.
Open Adobe Granite OAuth Application and Provider configuration and add the Client ID and Client Secret (Secret Key) obtained from Customer Support.
Ensure that the Config ID field (oauth.config.id
) contains the same value as provided in OAuth configuration ID field (oauth.configmanager.ims.configid
) above.
Open Adobe Granite IMS Cluster Exchange Token Preprocessor configuration and set it to enable
.
This section describes how to manage users and their access to the Experience Manager repository.
Group mapping determines how groups in Experience Manager correspond to groups in Adobe IMS. It plays an important role in how Adobe Asset Link users are granted permission to access Experience Manager Assets.
When used with Adobe Asset Link, Experience Manager delegates user management functions to Adobe IMS. It automatically creates users and groups that correspond to users and groups in Adobe IMS. In addition, it synchronizes users, groups, and group membership in Experience Manager to match the ones in Adobe IMS.
For example, consider a scenario where Adobe Asset Link users are members of the Adobe IMS group assetlink-users. In this case, a synchronized group named assetlink-users is created in Experience Manager when a user from that Adobe IMS group connects to Adobe Asset Link for the first time. Each new user in the Adobe IMS group is added to that corresponding group in Experience Manager when they connect to Experience Manager through Adobe Asset Link for the first time.
Groups in Experience Manager that correspond to and are synchronized with groups in Adobe IMS can be granted access directly or by making them a member of another group. Here is an example of how permissions can be managed.
The following rules apply to group mappings in Experience Manager:
Ensure that the Group Mappings property in Adobe Granite OAuth IMS Provider configuration is blank.
Adobe Asset Link user group membership is evaluated when the user authenticates and the time period in User Expiration Time property in Apache Jackrabbit Oak Default Sync Handler configuration has elapsed. Currently, users can be added to and removed from groups in Experience Manager to synchronize with what is found in Adobe IMS.
Avoid group name conflicts. Ensure that the names used for groups created in Adobe IMS (to manage users) are different from all Experience Manager system group names.
For example, make sure that they are different from the dam-users
group and the groups created by the Experience Manager administrator.
An Adobe IMS group whose name conflicts with the name of an Experience Manager system group or manually created group are not used to control user permissions.
If an Adobe IMS user connects to an Experience Manager instance, on which the user’s name conflicts with a previously created Experience Manager user, the Adobe IMS user is given another name with numbers added to make it unique.
Setup first-time access control
Users who connect through Adobe Asset Link can only view and interact with assets after they are granted the required permission. The Group Mapping section above discusses how are user groups created in Experience Manager, which correspond to and are synchronized with user groups in your organization within Adobe IMS. It is recommended that the Experience Manager administrators use these groups to manage access control for Adobe Asset Link users.
For each Experience Manager group that is synchronized with an Adobe IMS group (which is used to manage user access control):
Once these steps are performed, other users in the same group can connect to Experience Manager with Adobe Asset Link in their first attempt. They automatically have the same permissions as the other users in the group.
Adobe Asset Link users are able to connect with Experience Manager when they are signed in to their Creative Cloud application. This authentication uses Adobe IMS technology and creates user information in Experience Manager, if it does not exist. It is common for Experience Manager enterprise customers to manage their users with an external identity provider that is integrated with Experience Manager. Identity providers include Adobe IMS and other products that use the SAML and LDAP protocols. Alternatively, users can be created and managed locally in Experience Manager.
Users who connect to Experience Manager from Adobe Asset Link have no conflict with existing user information stored in Experience Manager from previous direct sign-in, if:
On the other hand, the user information created as a result of direct Experience Manager sign-in must be updated to work with Adobe Asset Link, in the following scenarios:
The users created through these scenarios do not have a property that is required for users, which are synchronized with Adobe IMS.
To update such users in Experience Manager to work with Adobe Asset Link:
/home/users
. Alternatively, you can search for the user name in CRXDE. A sample user path: /home/users/x/xTac082TDh-guJzzG7WM
.jcr:primaryType
property value of rep:User
.Name
value of rep:externalId
, Type
value of String
, and a Value
value of rep:authorizableId
;ims
, where rep:authorizableId
is the value of the rep:authorizableId
property of the node. (A semicolon is used with no spaces to separate the rep:authorizableId
value from ims
.)If the services are not restored in a few minutes, restart Experience Manager to allow successful authentications.
After this change, an updated Experience Manager user can connect with Adobe Asset Link and continue to use the method of direct sign-in to Experience Manager that was used before the update. On successful authentication with Adobe IMS, the Experience Manager user profile information is synchronized with the user profile in Adobe IMS.
There is a method by which a bulk migration of multiple Experience Manager users can be performed to enable them to work with Adobe Asset Link. Contact Adobe Care for more information and assistance with enabling this option.
As an alternative to the steps, in certain circumstances, an Adobe Asset Link user may be provided quick access to Experience Manager. In such cases, the pre-existing user information is found and deleted with Experience Manager User Management or Experience Manager CRXDE prior to their connection with Adobe Asset Link. New user information is created in Experience Manager following the connection. Use this approach only if you are certain that there is no important data that is added as a child of the user node. Such extra data is any node that is the child of the user node other than tokens
, preferences
, profile
, profiles
, profiles/public
, and rep:policy/*
nodes.
In Experience Manager 6.4, the administrators can configure workflows to automatically execute and process assets based on pre-defined conditions.
The configuration is useful for line-of-business users and marketers, for example, to create a custom workflow on a few specific folders. Say all assets from an agency’s photoshoot can be watermarked or all assets uploaded by a freelancer can be processed to create specific renditions.
For more information and for Experience Manager configuration, see auto-execute workflow on assets.
Experience Manager contains indexes that are used for querying. Create the following custom index for specified version. Experience Manager 6.4.0 contains this index by default. Adobe Asset Link requires this index to determine which assets a user has checked out.
In CRXDE, locate /oak:index
node. Create a node named cqDrivelock
and set its Type
to oak:QueryIndexDefinition
.
Add the following properties to the new node and save the changes:
Name: type; Type: string; Value: property
Name: propertyNames; Type: Name[] (click the "Multi" button); Value: cq:drivelock
Experience Manager provides renditions that are used for placement only (FPO). These FPO renditions have a small file size but are of the same aspect ratio. If an FPO rendition is not available for an asset, Adobe InDesign uses the original asset instead. This fallback mechanism ensures that the creative workflow proceeds without any breaks. For more information, see generate FPO renditions.
Organizations integrate their Adobe Stock accounts with Experience Manager Assets. It helps marketers to make licensed high-quality, royalty-free photos, vectors, illustrations, videos, templates, and 3D assets available for their creative and marketing projects. Creative professionals can use these assets using the Asset Link panel.
To Integrate with Adobe Stock, see Adobe Stock assets in Experience Manager Assets. Experience Manager 6.4.2 or later is required for integration with Adobe Stock.
If you face issues when configuring or using Adobe Asset Link, try the following: