![]() Under the SAML 2.0 documentation there is an entire section on SP-initiated Single Logout: This is not the desired effect and in fact is a pretty big security flaw. Since the SSO session never ended, the SAML process found the orphaned session still active and used it for the new user. As soon as they choose to use an enterprise/federated ID to login with and it redirects the user to the SSO login URL, it sees the previous user is still authenticated (even though they logged out of the adobe application and closed it) and it opens the application for the new user under the previous users authenticated session. In fact, they aren't even given the chance to. Therefore the next user does not authenticate again. ![]() When you log out of the Adobe application or website (using a shared device license), your local Adobe session is ended, but the SSO authenticated session is not. I have already proven to Adobe Support via a remote login session that the behavior you would expect is not true. SAML Single Logout is a SP-initiated feature so I'm not sure why Adobe SSO being SP initiated only is an issue. Is there some other way you can recommend for ending the SSO session without redirecting the user to the IdP logout URL upon logging off with Adobe? For security reasons, we simply cannot allow orphaned SSO sessions to exist and risk one student accessing a service under another student's authenticated session. To fully support SAML-based SSO with a 3rd party IdP you need to be able to enter both a sign-in URL as well as a sign-out URL that redirects the user back to the IdP to open or close their session. Our SSO deployments work with every other application, but those applications also allow us to enter both a login as well as a logout URL for the SAML process.Ī simple example is to look at Google since they are one of the largest app providers ( Service provider SSO set up - G Suite Admin Help ). As long as the user authenticates with SSO it doesn't matter if it's through the browser or application.the logout behavior is the same because Adobe is not passing that logout information back to the IdP. Logging out of Adobe without any redirect back to the IdP logout URL does not end the authenticated user's session with the IdP. This behavior is the same with both the browser (Adobe website) and the CC applications. Logging out on the Adobe side without terminating the SSO session is only ending the local login for Adobe and is still leaving the user authenticated with the IdP. How is it not needed in most scenarios? If you don't log out the session with the IdP you are running the risk of orphaned SSO sessions which is basically going to allow unauthenticated users access to the service with someone else's session. Why on earth would you not have the full IdP configuration settings in Adobe Admin Console for the CC Suite? It's there for Adobe Sign, but not in the Admin Console. IdP Certificate - The authentication certificate issued by your IdP. Logout URL / SLO Endpoint - When someone logs out of Adobe Sign, this URL is called to log them out of the IdP as well. The IdP is responsible for authenticating and logging in the user. Login URL / SSO Endpoint - The URL that Adobe Sign will call to request a user login from the IdP. IdP Issuer - This value is provided by the IdP to uniquely identify your domain. What's odd is when you set up SSO / IdP configuration settings with Adobe Sign it allows you to enter: Nowhere do they ever ask for the logout information. When configuring SSO, Adobe Admin Console only accepts the following information: Without this info, Adobe never redirects the user to the SSO sign out link and thus never logs out their SSO session. We've already gone through and set up those settings and SSO (Single Sign-On) works for federated IDs, but Adobe has no place to enter in your IdP's logout URL information.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |