Update SSO certificate

If you have set up SSO for your identity provider (IdP) with the Adobe Admin Console and your end users can't log in to their Adobe apps and services, the SAML-certificate may have expired.

Issue

You face any of the following issues:

  • End users are logged out and can't sign in to the Adobe Creative Cloud web, mobile, or desktop apps.
  • When they attempt to sign in, end users see error messages such as the following:
    • SAML certification validation failed.
    • The digital signature in the SAML response did not validate with the identity provider's certificate.
  • Admin can't add/remove/manage users or product profiles.
  • Admins want to renew your SAML certificate, which is about to expire.

Cause

In a SAML exchange, the two entities that are involved are:

  • Identity Provider (IdP)
    IdP certificate is owned and managed by the customer inside their own IdP (ADFS, OKTA, Shiboleth) and is uploaded into the Admin Console.
  • Adobe, which acts as a Service Provider (SP)
    Adobe entities are managed in the Admin Console and uploaded to the customer's IdP.

Both entities have their respective certificates, which are used to establish trust.
If you have set up SSO for your identity provider (IdP) with the Adobe Admin Console and your end users cannot log into their Adobe apps and services, the SAML certificate may have expired.

Admin Console notification

Adobe will inform you when an Adobe-generated certificate is set to expire or has expired with a banner notification in the Admin Console along with a status update per directory. To view the status of a SAML certificate, navigate to Settings > Identity Settings and review the Status column of the Directories tab.

Resolution

SAML Setup

If your certificates have expired or are about to expire, you can directly update the federation setup via the Admin Console. The SAML certificates are updated along with the SAML setup.

Note:

If your IdP does not check the validity of the certificate, no action is required.

As a System Admin, you can directly update and manage self-signed certificates from the Admin Console by following these steps:

  1. On the Admin Console, navigate to Settings >Identity > (Directory Name)> Authentication.

  2. Click Edit and then click Next.

  3. View available certificates and their status. You can choose to generate a new certificate or a new certificate signing request.

    Note:

    The self-signed certificate is more convenient and is in accordance with security best practices. It is recommended to opt for a self-signed certificate unless your organization has specific requirements that a self-signed certificate cannot satisfy.

  4. Click Generate New Certificate.

    A new SAML certificate will be generated within the selected federated directory for an active SAML configuration.

  5. Create new signing request.

    Click Create a certificate signing request.
    In the dialog that displays, enter the following details of information from your certificate authority (CA):

    1. Enter the details from your certificate authority.
    2. When choosing to create a new signing request, you must complete the process with your certificate authority (CA) for it to go into effect with the SAML certificate.
    3. Go to Actions and click Complete.
    4. Upload the certificate file from the certificate authority and click Complete, and then click Done

Once a certificate is successfully created, additional actions will be available, including set as default, activate, deactivate, download metadata, download certificate, and delete.

If your IdP supports multiple certificates, follow these steps without any login interruptions.

  1. Upload the new certificate in addition to the old one into your IdP.

  2. Set the new certificate as default in the Adobe Admin Console.

  3. Test login.

  4. Remove the old certificate from your IdP configuration.

  5. Disable/delete the old certificate.

Note:

It’s recommended to disable as deleting is irreversible.

If your IdP does NOT support multiple certificates you should pick a downtime interval to perform the renewal:

  1. Upload the new certificate into your IdP.

  2. Set the new certificate as default in the Adobe Admin Console.

  3. Test login.

  4. Disable the old certificate.

  5. If you don't encounter any issue, delete the old certificate.

Note:

It's recommended that you wait for some time before deleting the old certificate since deleting certificates is irreversible.

Audit logs

Actions taken related to the creation and management of certificates can be found in the audit logs.

To view the audit logs, go to the Admin Console and navigate to Insights > Logs > Audit log.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online