Skip to main content
jameso32010578
jameso32010578
Known Participant
May 24, 2019
Answered

SSO logout URL

  • May 24, 2019
  • 3 replies
  • 3882 views

For Creative Cloud, if you are using SAML with Federated IDs for SSO how are you managing the logout process? Adobe currently does not offer a place to enter a SLO (Single Log out) URL or Endpoint in the Admin Console so when you logout of the Adobe application/website it never redirects the user to the SSO logout page and thus never kills their SSO session. Obviously, this creates a huge problem because when the second user comes in and tries to login, the system still sees user #1 as authenticated (since their SSO session never ended) and it just automatically lets user #2 in as user #1. This will go on and on with every user since User #1 never ends their SSO session. I adivsed Adobe Support of this and they basically said we dont support that right now and we will add it as a feature request. Not sure how you support SAML if you don't support the logout process. Allowing a login URL is only half the process. Curious if others found any workaround for this. Thanks.

    Correct answer alisterblack

    Hi,

    As you have stated, we don't currently have support for this parameter in Creative Cloud however for most scenarios it is not needed.

    Is the behaviour the same if you log out from the browser or just from the application or Desktop App?

    Are you using a 'seamless SSO' deployment? What is your IdP?

    3 replies

    A
    adobedude1
    New Participant
    February 24, 2020

    Adding another vote/voice to this. It's bad form that Adobe did not bother to implement SSO single logout nor IDP initiated login.

    sjkeith77
    sjkeith77
    New Participant
    August 2, 2019

    I agree with Eric Vrieling, full SAML spec needs to be used by Adobe.  I would like to be able to have users login to AWS SSO and automatically be authenticated to Adobe Creative Cloud but the lack of a full SAML spec prevents that as Adobe only allows SP Initiated SSO.

    kglad
    kglad
    Community Expert
    May 24, 2019

    does this answer your question, Set up user identity in the Adobe Admin Console

    [moved from Adobe Creative Cloud to Deployment for Creative Cloud for Team, Enterprise, & CS]

    jameso32010578
    jameso32010578Author
    Known Participant
    May 24, 2019

    Unfortunately, it does not. We've already gone through and set up those settings and SSO (Single Sign-On) works for federated IDs, but Adobe has no place to enter in your IdP's logout URL information. Without this info, Adobe never redirects the user to the SSO sign out link and thus never logs out their SSO session.

    When configuring SSO, Adobe Admin Console only accepts the following information:

    IdP Issuer

    IdP Login URL

    IdP Binding

    User Login Setting

    Nowhere do they ever ask for the logout information.

    What's odd is when you set up SSO / IdP configuration settings with Adobe Sign it allows you to enter:

    IdP Issuer - This value is provided by the IdP to uniquely identify your domain.

    Login URL / SSO Endpoint - The URL that Adobe Sign will call to request a user login from the IdP.  The IdP is responsible for authenticating and logging in the user.

    Logout URL / SLO Endpoint - When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.

    IdP Certificate - The authentication certificate issued by your IdP.

    Why on earth would you not have the full IdP configuration settings in Adobe Admin Console for the CC Suite? It's there for Adobe Sign, but not in the Admin Console.

    Bani Verma
    Community Manager
    Bani VermaCommunity Manager
    Community Manager
    May 27, 2019

    Moving this query to Enterprise & Teams​ community.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices