SSO logout URL

Unfortunately, it does not. We've already gone through and set up those settings and SSO (Single Sign-On) works for federated IDs, but Adobe has no place to enter in your IdP's logout URL information. Without this info, Adobe never redirects the user to the SSO sign out link and thus never logs out their SSO session.

When configuring SSO, Adobe Admin Console only accepts the following information:

IdP Issuer

IdP Login URL

IdP Binding

User Login Setting

Nowhere do they ever ask for the logout information.

What's odd is when you set up SSO / IdP configuration settings with Adobe Sign it allows you to enter:

IdP Issuer - This value is provided by the IdP to uniquely identify your domain.

Login URL / SSO Endpoint - The URL that Adobe Sign will call to request a user login from the IdP.  The IdP is responsible for authenticating and logging in the user.

Logout URL / SLO Endpoint - When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.

IdP Certificate - The authentication certificate issued by your IdP.

Why on earth would you not have the full IdP configuration settings in Adobe Admin Console for the CC Suite? It's there for Adobe Sign, but not in the Admin Console.

Moving this query to Enterprise & Teams​ community.

How is it not needed in most scenarios? If you don't log out the session with the IdP you are running the risk of orphaned SSO sessions which is basically going to allow unauthenticated users access to the service with someone else's session. Logging out on the Adobe side without terminating the SSO session is only ending the local login for Adobe and is still leaving the user authenticated with the IdP.

This behavior is the same with both the browser (Adobe website) and the CC applications. Logging out of Adobe without any redirect back to the IdP logout URL does not end the authenticated user's session with the IdP. As long as the user authenticates with SSO it doesn't matter if it's through the browser or application...the logout behavior is the same because Adobe is not passing that logout information back to the IdP.

Our IdP is Enboard (enboard.com). Our SSO deployments work with every other application, but those applications also allow us to enter both a login as well as a logout URL for the SAML process.

A simple example is to look at Google since they are one of the largest app providers (Service provider SSO set up - G Suite Admin Help ). To fully support SAML-based SSO with a 3rd party IdP you need to be able to enter both a sign-in URL as well as a sign-out URL that redirects the user back to the IdP to open or close their session.

Is there some other way you can recommend for ending the SSO session without redirecting the user to the IdP logout URL upon logging off with Adobe? For security reasons, we simply cannot allow orphaned SSO sessions to exist and risk one student accessing a service under another student's authenticated session.

Thank you.

Adobe SSO is SP initiated only and you won't see IDP initiated features. We are introducing closer integration with Google IdP and others soon.

For Shared Device Licenses users are prompted for Account Confirmation periodically and logged out if that is not done. When you log out of the application or website your session is ended, the next users needs to authenticate again.

https://helpx.adobe.com/enterprise/using/sdl-faq.html

SAML Single Logout is a SP-initiated feature so I'm not sure why Adobe SSO being SP initiated only is an issue.

I have already proven to Adobe Support via a remote login session that the behavior you would expect is not true. When you log out of the Adobe application or website (using a shared device license), your local Adobe session is ended, but the SSO authenticated session is not. Therefore the next user does not authenticate again. In fact, they aren't even given the chance to. As soon as they choose to use an enterprise/federated ID to login with and it redirects the user to the SSO login URL, it sees the previous user is still authenticated (even though they logged out of the adobe application and closed it) and it opens the application for the new user under the previous users authenticated session. Since the SSO session never ended, the SAML process found the orphaned session still active and used it for the new user. This is not the desired effect and in fact is a pretty big security flaw.

Under the SAML 2.0 documentation there is an entire section on SP-initiated Single Logout:

It specifies that the SP initiates the the request by returning a digitally signed LogoutRequest SAML message to the end-user's browser which is used to validate the request to the IdP. The IdP's SLO endpoint is then appended with the LogoutRequest, which is a dedicated URL that expects to receive SLO messages and this is returned to the user's browser via a 302 HTTP redirection response. The user's browser follows the redirect and requests the IdP's SLO URL with the LogoutRequest. The IdP terminates its own logon session and sends a final LogoutResponse message back to the initiating SP. This LogoutResponse matches the original LogoutRequest that was initiated from the SP. The SP then terminates its own logon session for the end user and displays a logout page. Both the SP logon session as well as the IdP logon session should now be terminated.

So SAML fully supports SP initiated logout to the IdP....Adobe just hasn't configured their system to use the feature. You need to allow the user to enter the IdP logout URL/endpoint in the Adobe Admin Console and then Adobe can use that information to create a proper SAML response when the user initiates a logout requests from either the website or application.

Hopefully Adobe can add this soon because as I already indicated, the first user's SSO session remains active even after they log out of Adobe and close the application so when any users come after them they are not asked to authenticate again and instead access the first user's orphaned SSO account that was never terminated with the IdP.

alisterblack​

Can we get an update on fixing the problem of orphaned SSO sessions as outlined above? This is an urgent, important issue that affects SSO deployment for many people, including me. Other large players in this space (ie. Office 365) fully adhere to the SAML spec. Why did Adobe only implement a portion and think it was okay?

Is there any update on this issue?

This issue is severely affecting our SSO deployment.

4 years on, is this still an issue? I can't log out of the Creative Cloud app...