Highlighted

Adobe - Incorrect SSO Procedure

New Here ,
May 14, 2019

Copy link to clipboard

Copied

Greetings,

Recently successfully federated. All is well except the SSO process provided by Adobe. The sign-in is taking in username (email address) and password, when it should ONLY be taking in the email address first to validate if the user should be redirected to an Identity Provider.

In this case, I can enter my domain in the email address and hit enter or since my users are logging in with their company or school account, they need to click "Sign in with an Enterprise ID". Either way the result is that my users are redirected to my IDP environment for credentialing. Adobe should not be accepting a password, that is why I federated, I controll the credentialing and the access.

Users can begin the sign-in process by entering their email address or domain. Once they tab out of that field, we quickly check if it's a federated domain. In case it is, it switches over to your organization's sign-in page. Users won't need to enter a password on the sign in screen at all.

Topics

Enterprise

Views

827

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Adobe - Incorrect SSO Procedure

New Here ,
May 14, 2019

Copy link to clipboard

Copied

Greetings,

Recently successfully federated. All is well except the SSO process provided by Adobe. The sign-in is taking in username (email address) and password, when it should ONLY be taking in the email address first to validate if the user should be redirected to an Identity Provider.

In this case, I can enter my domain in the email address and hit enter or since my users are logging in with their company or school account, they need to click "Sign in with an Enterprise ID". Either way the result is that my users are redirected to my IDP environment for credentialing. Adobe should not be accepting a password, that is why I federated, I controll the credentialing and the access.

Users can begin the sign-in process by entering their email address or domain. Once they tab out of that field, we quickly check if it's a federated domain. In case it is, it switches over to your organization's sign-in page. Users won't need to enter a password on the sign in screen at all.

Topics

Enterprise

Views

828

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
May 14, 2019 0
Adobe Employee ,
May 14, 2019

Copy link to clipboard

Copied

Hi Adobemuddy,

Currently, Adobe's SSO setup doesn't support passthrough authentication. Even if you have set up Federated identity, students will need to login to the computer and then re-enter their credentials when signing in to Creative Cloud.

For more details see the following FAQ: Shared Device Licensing FAQ.

Let us know if this helps.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 14, 2019 1
New Here ,
May 15, 2019

Copy link to clipboard

Copied

I'm not requesting PTA. I'm indicating that Adobe is currently accepting credentials where it shouldn't. The password field shouldn't be an option for federated users at an Adobe domain. Adobe should be redirecting to my IDP based on the user-submitted user@domain.com. My users should be entering their credentials at my domain, Adobe.

I can bypass the password field by just entering an email address that is part of my domain and a redirect occurs, fowarding the user to my IDP, but the password field SHOULD NOT be there in this context. Adobe shouldn't be accepting a password here, those are my users' credentials (my IDP performs the validation of my users).

Example: If I go to log into outlook.office365.com.

  1. I enter a username@mydomain.com
  2. Office365.com determines where the user should be directed for authentication; ie. (ADFS)fs.mydomain.com
  3. I credential at fs.mydomain.com
  4. Upon successful authentication; forwarded back to outlook.office365.com with requested attributes

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 15, 2019 0
New Here ,
May 15, 2019

Copy link to clipboard

Copied

Not helpful.

I'm not asking for PTA.

I'm saying Adobe's authentication user interface shouldn't be pretending it is PTA by prompting for a password where it's not needed. It's confusing for users, especially since they'll have to do double entry; first "non-PTA" at Adobe, second at my IDP.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 15, 2019 0
Adobe Employee ,
May 15, 2019

Copy link to clipboard

Copied

Users can begin the sign-in process by entering their email address or domain. Once they tab out of that field, we quickly check if it's a federated domain. In case it is, it switches over to your organization's sign-in page. Users won't need to enter a password on the sign in screen at all.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 15, 2019 1