Skip to main content

About Adobe

Adobe provides creative, document, and marketing software — Creative Cloud, Document Cloud, and Experience Cloud — licensed to users through the Adobe Admin Console. Connecting Adobe to Serval lets you automate license (product profile) assignment, user management, and access workflows via Adobe’s User Management API.
The Adobe integration is in beta. The surface is currently focused on the Adobe User Management API (usermanagement.adobe.io). Other Adobe APIs (Creative Cloud Libraries, Photoshop API, etc.) are not exposed.

What the Adobe integration enables

CapabilityDescription
Access ManagementProvision and deprovision Adobe product profiles (licenses) through pre-built, installable workflows
Workflow AutomationCall any endpoint in the Adobe User Management API via the Adobe API request action

Key Features

  • List and look up users in your Adobe organization
  • Create users and assign / remove product profiles (licenses)
  • Manage user groups and group membership
  • Remove users from the organization

Common Use Cases

  • Self-service Creative Cloud license requests with approval
  • Offboarding: reclaim Adobe licenses automatically
  • License-tier changes (e.g. Single App → All Apps)
  • Periodic audits of who holds which product profile

Adobe configuration (in the Adobe Developer Console)

Serval authenticates to Adobe with an OAuth Server-to-Server credential that you create in the Adobe Developer Console. This credential acts on behalf of your organization — no user login or browser-based OAuth flow is involved.

Prerequisites

  • A System Administrator role in your Adobe organization — required to add the User Management API to a Developer Console project
  • Access to the Adobe Developer Console

Step 1: Create a project with the User Management API

1

Create a project

  1. Sign in to the Adobe Developer Console
  2. Make sure the correct organization is selected in the top-right org picker
  3. Click Create new project (or open an existing project you want to reuse)
2

Add the User Management API

  1. In the project, click Add API
  2. Select User Management API (listed under Adobe Services) and click Next
  3. Choose the OAuth Server-to-Server credential type
  4. Click Save configured API
Adding the User Management API automatically attaches the scopes the credential needs (openid, AdobeID, user_management_sdk). You don’t need to configure scopes manually — Serval requests exactly these during the token exchange.

Step 2: Collect the credentials

1

Open the credential details

In your project, open the OAuth Server-to-Server credential. The Credential details page shows everything Serval needs.
2

Copy three values

ValueWhere to find itLooks like
Organization IDCredential details page (also under Project overview)1234567890ABCDEF12345678@AdobeOrg
Client ID (API Key)Credential details pagea1b2c3d4e5f6...
Client SecretCredential details page → Retrieve client secretp8e-...
Treat the client secret like a production password. If you rotate it in the Adobe Developer Console later, remember to update it in Serval as well — the old secret stops working as soon as rotation completes.

Serval configuration

1

Navigate to the Adobe integration

  1. In Serval, go to Apps → Available → Adobe
  2. Click Connect
2

Enter the credentials

FieldDescription
Organization IDYour Adobe organization ID. It always ends with @AdobeOrg.
Client ID (API Key)The Client ID of your OAuth Server-to-Server credential.
Client SecretThe Client Secret of your OAuth Server-to-Server credential.
3

Save and verify

Click Save. Serval exchanges the credentials for an access token with Adobe IMS and runs a read-only health check that lists the first page of users in your organization. This exercises the full auth path — the token exchange, the API key header, and org access — so a green check means the integration is ready to use.
Adobe access tokens are short-lived; Serval refreshes them automatically using the stored credential. You never need to rotate tokens by hand — only the client secret, if your security policy requires it.

Installable workflow bundles

The integration ships with an Access Management bundle you can install from Apps → Adobe → Workflows:
  • Provision User to Adobe — assigns the requested Adobe product profile (license) to a user. If the user doesn’t exist in your Adobe organization yet, the workflow first creates a Federated ID for them, then adds the product profile. Install it, then select it as an app entitlement’s custom provisioning workflow.
  • Deprovision User from Adobe — removes the revoked product profile from a user. Select it as the entitlement’s custom deprovisioning workflow. The user stays in the organization; only the license is reclaimed.
These workflows are plug-and-play — there is no role-mapping table to maintain. The Adobe product profile comes straight from the Serval role / entitlement name, so name your Serval entitlements to exactly match the product profile strings in your Adobe Admin Console (e.g. Default All Apps configuration).
Two scoping assumptions to check before installing:
  • Identity type: user creation assumes your organization uses Federated IDs (SSO-backed). If you use Enterprise IDs or Business IDs, or rely on SSO just-in-time provisioning, adjust the user-creation step after installing.
  • SSO access is separate: these workflows manage only the Adobe license. If sign-in to Adobe is gated by an IdP / directory group, grant or revoke that group in your IdP (or as its own Serval step) — assigning a product profile does not by itself let the user log in.

Using Adobe in workflows

Once connected, use the Adobe API request action to call any User Management API endpoint. The action is schema-less — pass the path, method, and body directly, and resolve request shapes from the UMAPI documentation. Serval injects authentication automatically on every call:
  • The Bearer token from the OAuth Server-to-Server exchange
  • The X-Api-Key header (your client ID), which Adobe requires on every request
Your organization ID is available from the integration context, so workflows never hardcode it: 
import { workflow } from "serval/core";
import * as adobe from "serval/integrations/adobe";

export const main = workflow({
  fn: async (_args: {}, ctx: adobe.context.AdobeIntegration) => {
    const { orgId } = ctx.integrations.adobe;

    // List the first page of users in the organization
    return await adobe.apiRequest(
      {
        path: `/v2/usermanagement/users/${encodeURIComponent(orgId)}/0`,
        method: "GET",
      },
      ctx,
    );
  },
});

Common endpoints

PathMethodNotes
/v2/usermanagement/users/{orgId}/{page}GETList users, paginated by page number. The response’s lastPage flag tells you when to stop.
/v2/usermanagement/organizations/{orgId}/users/{userString}GETLook up a single user by email.
/v2/usermanagement/groups/{orgId}/{page}GETList user groups and product profiles.
/v2/usermanagement/action/{orgId}POSTThe batch action API — create users, add/remove product profiles and user groups, remove users from the org. Each entry’s do array runs steps in order.
The action API returns a summary (result, completed, notCompleted, errors) rather than failing the HTTP request — always check notCompleted and errors in your workflow. The pre-built provisioning workflows above already do this and fail loudly on partial completion.
Adobe throttles the User Management API per organization. If you build bulk workflows (e.g. a license audit across thousands of users), expect occasional 429 responses and retry with backoff per the Retry-After header. See Adobe’s throttling guidance for current limits.

Troubleshooting

Health check fails after connecting

  • Confirm the Organization ID ends with @AdobeOrg and matches the org selected in the Developer Console when you created the project.
  • Confirm the credential is OAuth Server-to-Server (not JWT — Adobe’s deprecated Service Account credential type — and not an OAuth Web App credential).
  • Confirm the User Management API is added to the same project as the credential. The client ID is only authorized for APIs attached to its project.

401 Unauthorized on API calls

  • The client secret may have been rotated in the Adobe Developer Console. Update the secret in Serval (Apps → Adobe → Configure).

Action API reports notCompleted entries

  • The product profile name in the request must match the Adobe Admin Console name exactly, including case and spacing. For the installable workflows, that means the Serval entitlement name must be an exact match.
  • Check the errors array in the response — Adobe returns a per-entry errorCode and message identifying the failing step.

External Resources

Need help? Contact support@serval.com for assistance with your Adobe integration.