I desperately need help. Suddenly, none of my students are able to log into Adobe Spark with their school email accounts. I still have access because I'm the administrator. I'm having a hard time understanding how my students no longer can access Spark. The error message they get is "Access Denied". They were able to log in previously.
Any ideas on how to fix this issue?
Were the students able to sign in previously, has anything changed? Can none of them sign in?
I can see that you are using Federated ID with Google as your Identity Provider.
Make sure that you are signing in with the Federated ID password and not the students own Google ID as this is a different account.
You as the admin are using Adobe ID which is why you can sign in.
If you need to dig deeper into this I advise contacting our support teams. You can do this via the Support tab in your Admin Console.
Our documentation covering Google IDP setup is here - Configure Google IdP for use with Adobe SSO
They previously signed in. I set up SSO with G suite for education so my students log in with the same school credentials. It worked before and I haven't done anything different. Should I delete their accounts in the adobe admin console and start over?
No, I would not delete the accounts at this stage.
Looking at the logs on your console I am only seeing successful sign-ins, no errors. It may be worth checking on the Google side if your certificate has expired - Maintain SAML certificates - G Suite Admin Help
At this point you probably need to open a support ticket with us. They can ask for a SAML trace which will show the communication that is happening during the authentication process and that will indicate if the correct parameters are being passed over.
I checked the certificate and it's current. It won't expire until Sept 4, 2023. I want to open a support ticket at this point. I was hoping to teach Spark today, but it looks like it won't happen. How long will it take for this issue to be fixed?
To open a support ticket go to the Support tab of your admin console. My colleagues will be able to triage your issue and give a likely timeframe for resolution.
After I clicked on the support tab, I don't see an option to open a support ticket. My options are: Manage support cases, chat with adobe customer support and request expert session. I tried the last two options last night and didn't get me anywhere. Is there a number I can call or an email?
There is a number in the top right hand corner of the support page. I'll DM it to you also.
Hi again Alister:
So this morning I used a few of my students' accounts to log into Adobe Spark from a desktop computer in the lab. I was able to log in successfully, but when I tried the same student login from my school laptop it didn't work. I keep getting the same error message "access denied". The same thing happened when I tried the student login from my home laptop. Shouldn't you be able to access Spark from anywhere? I'm having a hard time understanding why.
Yes, you can access Spark from anywhere. The issue is with your Single Sign-On configuration (this is why Adobe ID is ok). This could be if your Assertion Consumer Service (ACS) is set to use https instead of http.
I followed the instructions on the Adobe SSO setup page word for word and didn't have issues until a couple of days ago. Is there a way you or I could check if the ACS settings are ok?
To clarify - you were able to log in via SSO from outside your network until a couple of days ago?
Can you log into services other than Spark with your Federated ID? For example, adobe.com or the Creative Cloud Desktop App? Could this have been blocked at the firewall level or by proxy, VPN or antivirus tools at the external location? Can you try with another browser, or by using an incognito browsing session? Sometimes an ISP will even block certain services or endpoints.
From the Admin Console everything seems correct and your logs show no sign-in errors.
Your ACS is set to use https - this is the setting in the Adobe Admin Console called IdP issuer.
That information comes from the Entity ID in the Google IdP Information screen.
This seems to auto-populate and I am not sure if this is something you can edit.
I'm able to log in to my own account from anywhere and from any browser. Spark is the only service that I have at this time.
The issue is when I use some of my students' accounts to log in to Spark from my laptop. I was able to log in with my students' accounts in an incognito browser. When I go back to the regular Chrome browser, the only time I can log in with my students' accounts is when I clear the cache, exit the browser, and reopen it but I find myself doing this every single time.
Okay, we are narrowing this down then.
It indicates a browser issue, maybe caused by an add-in with your browser such as a pop up blocker.
Can you install another browser such as Edge or Firefox?
So I did try with Firefox and it worked. What would I need to do to make it work in Chrome again without having to clear the cache?
I was also wondering if you could help me with another issue: After I set up SSO in G-Suite for education, I created a shortcut icon for Spark so that when students click on it, it takes them directly to the site. Instead, the oka page comes up. I'm attaching a couple of screenshots.
The add-ons I have for Chrome are: screencastify, adobe acrobat, google docs offline, okta secure authentication plug-in, adblock plus, grammarly, and G Suite training.
When I set up Spark in G-Suite for education, it was done like this:
Should I add anything in the "Start URL" field?
Did you receive my message?
Sorry I am on a different continent to you - hence the delayed response.
The Chrome version of safe mode is incognito mode and we already know that this works ok. All you can do is remove all the add-ins and add them back one at a time until you can replicate the problem. However at this stage it is a Chrome issue. Personally I would just use a different browser.
I don't think there is an issue with your SSO setup.
No worries. If the setup is correct, then why do I get the "Okta" page after clicking on the spark icon in G-Suite? Shouldn't I be taken straight to Spark instead?
Once you have set up SSO for your Adobe admin console, you don't need to add individual applications also. From a technical perspective this is because Adobe supports service-provider (SP) initiated login and not Identity Provider (IDP) initiated login.
As our document states "To sign in to Adobe Spark, open the website for Adobe Spark, click Log In > Log In With School Account. Then, sign in using your email address and password."
This user video also gives a good overview - https://youtu.be/tUoaCjkvFgA
Ok, so I guess it didn't make sense to set up a Spark icon in G-Suite.
Thank you so much for your help Alister.
i got u