Copy link to clipboard
Copied
For Creative Cloud, if you are using SAML with Federated IDs for SSO how are you managing the logout process? Adobe currently does not offer a place to enter a SLO (Single Log out) URL or Endpoint in the Admin Console so when you logout of the Adobe application/website it never redirects the user to the SSO logout page and thus never kills their SSO session. Obviously, this creates a huge problem because when the second user comes in and tries to login, the system still sees user #1 as authenticated (since their SSO session never ended) and it just automatically lets user #2 in as user #1. This will go on and on with every user since User #1 never ends their SSO session. I adivsed Adobe Support of this and they basically said we dont support that right now and we will add it as a feature request. Not sure how you support SAML if you don't support the logout process. Allowing a login URL is only half the process. Curious if others found any workaround for this. Thanks.
Hi,
As you have stated, we don't currently have support for this parameter in Creative Cloud however for most scenarios it is not needed.
Is the behaviour the same if you log out from the browser or just from the application or Desktop App?
Are you using a 'seamless SSO' deployment? What is your IdP?
Copy link to clipboard
Copied
does this answer your question, Set up user identity in the Adobe Admin Console
[moved from Adobe Creative Cloud to Deployment for Creative Cloud for Team, Enterprise, & CS]
Copy link to clipboard
Copied
Unfortunately, it does not. We've already gone through and set up those settings and SSO (Single Sign-On) works for federated IDs, but Adobe has no place to enter in your IdP's logout URL information. Without this info, Adobe never redirects the user to the SSO sign out link and thus never logs out their SSO session.
When configuring SSO, Adobe Admin Console only accepts the following information:
IdP Issuer
IdP Login URL
IdP Binding
User Login Setting
Nowhere do they ever ask for the logout information.
What's odd is when you set up SSO / IdP configuration settings with Adobe Sign it allows you to enter:
IdP Issuer - This value is provided by the IdP to uniquely identify your domain.
Login URL / SSO Endpoint - The URL that Adobe Sign will call to request a user login from the IdP. The IdP is responsible for authenticating and logging in the user.
Logout URL / SLO Endpoint - When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.
IdP Certificate - The authentication certificate issued by your IdP.
Why on earth would you not have the full IdP configuration settings in Adobe Admin Console for the CC Suite? It's there for Adobe Sign, but not in the Admin Console.
Copy link to clipboard
Copied
Moving this query to Enterprise & Teams community.
Copy link to clipboard
Copied
Hi,
As you have stated, we don't currently have support for this parameter in Creative Cloud however for most scenarios it is not needed.
Is the behaviour the same if you log out from the browser or just from the application or Desktop App?
Are you using a 'seamless SSO' deployment? What is your IdP?
Copy link to clipboard
Copied
How is it not needed in most scenarios? If you don't log out the session with the IdP you are running the risk of orphaned SSO sessions which is basically going to allow unauthenticated users access to the service with someone else's session. Logging out on the Adobe side without terminating the SSO session is only ending the local login for Adobe and is still leaving the user authenticated with the IdP.
This behavior is the same with both the browser (Adobe website) and the CC applications. Logging out of Adobe without any redirect back to the IdP logout URL does not end the authenticated user's session with the IdP. As long as the user authenticates with SSO it doesn't matter if it's through the browser or application...the logout behavior is the same because Adobe is not passing that logout information back to the IdP.
Our IdP is Enboard (enboard.com). Our SSO deployments work with every other application, but those applications also allow us to enter both a login as well as a logout URL for the SAML process.
A simple example is to look at Google since they are one of the largest app providers (Service provider SSO set up - G Suite Admin Help ). To fully support SAML-based SSO with a 3rd party IdP you need to be able to enter both a sign-in URL as well as a sign-out URL that redirects the user back to the IdP to open or close their session.
Is there some other way you can recommend for ending the SSO session without redirecting the user to the IdP logout URL upon logging off with Adobe? For security reasons, we simply cannot allow orphaned SSO sessions to exist and risk one student accessing a service under another student's authenticated session.
Thank you.
Copy link to clipboard
Copied
Adobe SSO is SP initiated only and you won't see IDP initiated features. We are introducing closer integration with Google IdP and others soon.
For Shared Device Licenses users are prompted for Account Confirmation periodically and logged out if that is not done. When you log out of the application or website your session is ended, the next users needs to authenticate again.
Copy link to clipboard
Copied
SAML Single Logout is a SP-initiated feature so I'm not sure why Adobe SSO being SP initiated only is an issue.
I have already proven to Adobe Support via a remote login session that the behavior you would expect is not true. When you log out of the Adobe application or website (using a shared device license), your local Adobe session is ended, but the SSO authenticated session is not. Therefore the next user does not authenticate again. In fact, they aren't even given the chance to. As soon as they choose to use an enterprise/federated ID to login with and it redirects the user to the SSO login URL, it sees the previous user is still authenticated (even though they logged out of the adobe application and closed it) and it opens the application for the new user under the previous users authenticated session. Since the SSO session never ended, the SAML process found the orphaned session still active and used it for the new user. This is not the desired effect and in fact is a pretty big security flaw.
Under the SAML 2.0 documentation there is an entire section on SP-initiated Single Logout:
It specifies that the SP initiates the the request by returning a digitally signed LogoutRequest SAML message to the end-user's browser which is used to validate the request to the IdP. The IdP's SLO endpoint is then appended with the LogoutRequest, which is a dedicated URL that expects to receive SLO messages and this is returned to the user's browser via a 302 HTTP redirection response. The user's browser follows the redirect and requests the IdP's SLO URL with the LogoutRequest. The IdP terminates its own logon session and sends a final LogoutResponse message back to the initiating SP. This LogoutResponse matches the original LogoutRequest that was initiated from the SP. The SP then terminates its own logon session for the end user and displays a logout page. Both the SP logon session as well as the IdP logon session should now be terminated.
So SAML fully supports SP initiated logout to the IdP....Adobe just hasn't configured their system to use the feature. You need to allow the user to enter the IdP logout URL/endpoint in the Adobe Admin Console and then Adobe can use that information to create a proper SAML response when the user initiates a logout requests from either the website or application.
Hopefully Adobe can add this soon because as I already indicated, the first user's SSO session remains active even after they log out of Adobe and close the application so when any users come after them they are not asked to authenticate again and instead access the first user's orphaned SSO account that was never terminated with the IdP.
Copy link to clipboard
Copied
Can we get an update on fixing the problem of orphaned SSO sessions as outlined above? This is an urgent, important issue that affects SSO deployment for many people, including me. Other large players in this space (ie. Office 365) fully adhere to the SAML spec. Why did Adobe only implement a portion and think it was okay?
Copy link to clipboard
Copied
Is there any update on this issue?
This issue is severely affecting our SSO deployment.
Copy link to clipboard
Copied
4 years on, is this still an issue? I can't log out of the Creative Cloud app...
Copy link to clipboard
Copied
I agree with Eric Vrieling, full SAML spec needs to be used by Adobe. I would like to be able to have users login to AWS SSO and automatically be authenticated to Adobe Creative Cloud but the lack of a full SAML spec prevents that as Adobe only allows SP Initiated SSO.
Copy link to clipboard
Copied
Adding another vote/voice to this. It's bad form that Adobe did not bother to implement SSO single logout nor IDP initiated login.