In your Adobe Admin Console, go to Settings > Directories.
Update deprecated SAML setup
Adobe has discontinued support of deprecated SAML setups (including the SHA-256 Pilot) for federated directories within the Adobe Admin Console.
If your organization has federated directories with a deprecated SAML setup, you no longer meet the minimum system configuration requirements necessary to access Adobe products and services. Update your configuration now to reinstate access for end-users of affected directories.
- Choosing the Microsoft Azure option for the configuration only configures the identity provider and does not include directory sync service. Setting up sync service with an existing directory requires deletion of all directory users, permanently deleting access to products, services, and storage. If your organization has an existing federated directory, it is recommended that you wait to adopt the Azure AD Connector in a future release when sync can be added to an existing directory without the need to permanently delete directory users.
- Before any SAML changes, we strongly recommend that you export a user list from the Admin Console or Consoles involved prior to making changes. This list will provide a snapshot of all user data, including name, email, assigned product profiles and assigned admin roles in the case a rollback needs to be performed.
- You may plan to consolidate domains during your SAML update process. There are specific steps to follow to migrate a domain that includes a trust relationship. You should not revoke a trust relationship when migrating a trusted domain to prevent loss of user account and product access in the trustee’s organization.
A self-service feature is available in the Adobe Admin Console that allows your organization to seamlessly update the federation setup. This update does not require any down time and allows you to test the setup prior to integration.
This update aligns with industry standard, providing a more secure and direct integration between Adobe and your directory's authentication profiles. With this solution, you can leverage the same directory as well as integrate directly with your identity provider, such as Azure, Google, or any other SAML 2.0 provider.
To update a deprecated SAML setup, you need to meet the following requirements:
- Access to your organization's Adobe Admin Console with System Administrator credentials
- An existing directory configured for federation in the Admin Console that requires update, indicated with a warning icon in the Settings section of your organization’s Admin Console
- Access to configure your organization's identity provider (for example, Microsoft Azure Portal, Google Admin console, etc.)
To know about the other things to consider while implementation, see Implementation Considerations.
After you've ensured the access requirements and implementation considerations are met, follow the procedure below to edit your authentication profile and migrate your directory:
Select the Edit action for the directory. Then, Select Add new IdP in the directory Details.
Select the identity provider to set up the new authentication profile. Choose the identity provider (IdP) that your organization uses to authenticate users. Click Next.
Based on your choice of Identity provider, follow the steps below:
Log In to Azure with your Microsoft Azure Active Directory Global Admin credentials and Accept the permission prompt. You're taken back to the Directory details in the Admin Console.Note:
- The Microsoft Global Admin login is only required to create an application in the organization's Azure Portal. The Global Admin's login information is not stored, and only used for the one-time permission to create the application.
- When selecting the identity provider for Step 3 above the Microsoft Azure option should not be used if the Username field in the Adobe Admin Console does not match the UPN field in Azure. If the existing directory is configured to pass Username as the User Login Setting, the new IdP should be established under the Other SAML Providers option. The login setting can be confirmed by selecting Edit option in the current directory under User Login Setting.
- Choosing the Microsoft Azure option in Step 3 only configures the identity provider and does not include directory sync services at this time.
- Copy the ACS URL and Entity Id from the Edit SAML Configuration screen.
- In a separate window, log in to the Google Admin console with Google Admin credentials and navigate to Apps > SAML Apps.
- Use the + sign to add new App and select Adobe app. Then, download the IdP metadata under Option 2 and upload it to the Edit SAML Configuration in the Adobe Admin Console. Then, click Save.
- Confirm the Basic Information for Adobe. Enter the previously copied ACS URL and Entity ID in the Service Provider Details to finish. Note that there is no need to set up User Provisioning as this is not currently supported for existing directories.
- Last, go to Apps > SAML apps > Settings for Adobe > Service Status. Turn Service Status as ON for everyone and Save.
For Other SAML Providers:
- Log in to your identity provider's application in a different window and create a new SAML app. (Do not edit the existing SAML app to prevent down-time for migration).
- Based on your identity provider's settings, copy the Metadata file or ACS URL and Entity ID from the Adobe Admin Console to the identity provider's settings.
- Upload metadata file from the identity provider setup to the Adobe Admin Console. Then, click Save.
In the Adobe Admin Console > Directory Details, the new authentication profile is created. Use the Test feature to verify whether the configuration is set up correctly to ensure all users can access their designated apps.
Note that the Test feature only validates SSO configuration. You will need to verify that the username format, displayed on the successful Test page, matches the username in the Adobe Admin Console for the user that performed the test.
Click Activate to migrate to the new authentication profile. Once done, the new profile displays In use.
Before you activate, Use the Directory users section in the Admin Console to verify that the identity provider usernames match Adobe Admin Console usernames.
For SAML, make sure that the Subject field in the assertion from the new configuration matches the existing users' username format in the Admin Console.Caution:
Once a new IdP configuration is active, the Okta SHA-1 profile remains inactive and available for seven days. After seven days, the inactive profile card is automatically removed from the Admin Console directory. The only way to restore a removed Okta profile is to raise a support request with Adobe Engineering.
After you've updated your directory setup, you can move domains from other SHA-1 directories to the new directory using domain migration. There are specific steps to follow to migrate a domain that includes a trust relationship. You should not revoke a trust relationship when migrating a trusted domain to prevent loss of user account and product access in the trustee’s organization.
Users of the migrated domains must be in the identity provider that is configured to work with the new target directory.
To learn more about some limitations and avoid errors that you might encounter while configuring, see Common questions: Migrate directory to new authentication provider.