Highlighted

SSO logout URL

Community Beginner ,
May 24, 2019

Copy link to clipboard

Copied

For Creative Cloud, if you are using SAML with Federated IDs for SSO how are you managing the logout process? Adobe currently does not offer a place to enter a SLO (Single Log out) URL or Endpoint in the Admin Console so when you logout of the Adobe application/website it never redirects the user to the SSO logout page and thus never kills their SSO session. Obviously, this creates a huge problem because when the second user comes in and tries to login, the system still sees user #1 as authenticated (since their SSO session never ended) and it just automatically lets user #2 in as user #1. This will go on and on with every user since User #1 never ends their SSO session. I adivsed Adobe Support of this and they basically said we dont support that right now and we will add it as a feature request. Not sure how you support SAML if you don't support the logout process. Allowing a login URL is only half the process. Curious if others found any workaround for this. Thanks.

Views

872

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

SSO logout URL

Community Beginner ,
May 24, 2019

Copy link to clipboard

Copied

For Creative Cloud, if you are using SAML with Federated IDs for SSO how are you managing the logout process? Adobe currently does not offer a place to enter a SLO (Single Log out) URL or Endpoint in the Admin Console so when you logout of the Adobe application/website it never redirects the user to the SSO logout page and thus never kills their SSO session. Obviously, this creates a huge problem because when the second user comes in and tries to login, the system still sees user #1 as authenticated (since their SSO session never ended) and it just automatically lets user #2 in as user #1. This will go on and on with every user since User #1 never ends their SSO session. I adivsed Adobe Support of this and they basically said we dont support that right now and we will add it as a feature request. Not sure how you support SAML if you don't support the logout process. Allowing a login URL is only half the process. Curious if others found any workaround for this. Thanks.

Views

873

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Adobe Community Professional ,
May 24, 2019

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Community Beginner ,
May 24, 2019

Copy link to clipboard

Copied

Unfortunately, it does not. We've already gone through and set up those settings and SSO (Single Sign-On) works for federated IDs, but Adobe has no place to enter in your IdP's logout URL information. Without this info, Adobe never redirects the user to the SSO sign out link and thus never logs out their SSO session.

When configuring SSO, Adobe Admin Console only accepts the following information:

IdP Issuer

IdP Login URL

IdP Binding

User Login Setting

Nowhere do they ever ask for the logout information.

What's odd is when you set up SSO / IdP configuration settings with Adobe Sign it allows you to enter:

IdP Issuer - This value is provided by the IdP to uniquely identify your domain.

Login URL / SSO Endpoint - The URL that Adobe Sign will call to request a user login from the IdP.  The IdP is responsible for authenticating and logging in the user.

Logout URL / SLO Endpoint - When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well.

IdP Certificate - The authentication certificate issued by your IdP.

Why on earth would you not have the full IdP configuration settings in Adobe Admin Console for the CC Suite? It's there for Adobe Sign, but not in the Admin Console.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
May 27, 2019

Copy link to clipboard

Copied

Moving this query to Enterprise & Teams​ community.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
May 27, 2019

Copy link to clipboard

Copied

Hi,

As you have stated, we don't currently have support for this parameter in Creative Cloud however for most scenarios it is not needed.

Is the behaviour the same if you log out from the browser or just from the application or Desktop App?

Are you using a 'seamless SSO' deployment? What is your IdP?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Community Beginner ,
May 28, 2019

Copy link to clipboard

Copied

How is it not needed in most scenarios? If you don't log out the session with the IdP you are running the risk of orphaned SSO sessions which is basically going to allow unauthenticated users access to the service with someone else's session. Logging out on the Adobe side without terminating the SSO session is only ending the local login for Adobe and is still leaving the user authenticated with the IdP.

This behavior is the same with both the browser (Adobe website) and the CC applications. Logging out of Adobe without any redirect back to the IdP logout URL does not end the authenticated user's session with the IdP. As long as the user authenticates with SSO it doesn't matter if it's through the browser or application...the logout behavior is the same because Adobe is not passing that logout information back to the IdP.

Our IdP is Enboard (enboard.com). Our SSO deployments work with every other application, but those applications also allow us to enter both a login as well as a logout URL for the SAML process.

A simple example is to look at Google since they are one of the largest app providers (Service provider SSO set up - G Suite Admin Help ). To fully support SAML-based SSO with a 3rd party IdP you need to be able to enter both a sign-in URL as well as a sign-out URL that redirects the user back to the IdP to open or close their session.

Is there some other way you can recommend for ending the SSO session without redirecting the user to the IdP logout URL upon logging off with Adobe? For security reasons, we simply cannot allow orphaned SSO sessions to exist and risk one student accessing a service under another student's authenticated session.

Thank you.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
May 29, 2019

Copy link to clipboard

Copied

Adobe SSO is SP initiated only and you won't see IDP initiated features. We are introducing closer integration with Google IdP and others soon.

For Shared Device Licenses users are prompted for Account Confirmation periodically and logged out if that is not done. When you log out of the application or website your session is ended, the next users needs to authenticate again.

https://helpx.adobe.com/enterprise/using/sdl-faq.html

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Community Beginner ,
May 29, 2019

Copy link to clipboard

Copied

SAML Single Logout is a SP-initiated feature so I'm not sure why Adobe SSO being SP initiated only is an issue.

I have already proven to Adobe Support via a remote login session that the behavior you would expect is not true. When you log out of the Adobe application or website (using a shared device license), your local Adobe session is ended, but the SSO authenticated session is not. Therefore the next user does not authenticate again. In fact, they aren't even given the chance to. As soon as they choose to use an enterprise/federated ID to login with and it redirects the user to the SSO login URL, it sees the previous user is still authenticated (even though they logged out of the adobe application and closed it) and it opens the application for the new user under the previous users authenticated session. Since the SSO session never ended, the SAML process found the orphaned session still active and used it for the new user. This is not the desired effect and in fact is a pretty big security flaw.

Under the SAML 2.0 documentation there is an entire section on SP-initiated Single Logout:

It specifies that the SP initiates the the request by returning a digitally signed LogoutRequest SAML message to the end-user's browser which is used to validate the request to the IdP. The IdP's SLO endpoint is then appended with the LogoutRequest, which is a dedicated URL that expects to receive SLO messages and this is returned to the user's browser via a 302 HTTP redirection response. The user's browser follows the redirect and requests the IdP's SLO URL with the LogoutRequest. The IdP terminates its own logon session and sends a final LogoutResponse message back to the initiating SP. This LogoutResponse matches the original LogoutRequest that was initiated from the SP. The SP then terminates its own logon session for the end user and displays a logout page. Both the SP logon session as well as the IdP logon session should now be terminated.

So SAML fully supports SP initiated logout to the IdP....Adobe just hasn't configured their system to use the feature. You need to allow the user to enter the IdP logout URL/endpoint in the Adobe Admin Console and then Adobe can use that information to create a proper SAML response when the user initiates a logout requests from either the website or application.

Hopefully Adobe can add this soon because as I already indicated, the first user's SSO session remains active even after they log out of Adobe and close the application so when any users come after them they are not asked to authenticate again and instead access the first user's orphaned SSO account that was never terminated with the IdP.

alisterblack

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Jul 23, 2019

Copy link to clipboard

Copied

Can we get an update on fixing the problem of orphaned SSO sessions as outlined above? This is an urgent, important issue that affects SSO deployment for many people, including me. Other large players in this space (ie. Office 365) fully adhere to the SAML spec. Why did Adobe only implement a portion and think it was okay?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Oct 29, 2019

Copy link to clipboard

Copied

 

Is there any update on this issue?

This issue is severely affecting our SSO deployment.

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Aug 02, 2019

Copy link to clipboard

Copied

I agree with Eric Vrieling, full SAML spec needs to be used by Adobe.  I would like to be able to have users login to AWS SSO and automatically be authenticated to Adobe Creative Cloud but the lack of a full SAML spec prevents that as Adobe only allows SP Initiated SSO.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
New Here ,
Feb 24, 2020

Copy link to clipboard

Copied

Adding another vote/voice to this. It's bad form that Adobe did not bother to implement SSO single logout nor IDP initiated login.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...