On the Admin Console, navigate to Settings >Identity > (Directory Name)> Authentication.
If you have set up SSO for your identity provider (IdP) with the Adobe Admin Console and your end users can't log in to their Adobe apps and services, the SAML-certificate may have expired.
Issue
You face any of the following issues:
- End users are logged out and can't sign in to the Adobe Creative Cloud web, mobile, or desktop apps.
- When they attempt to sign in, end users see error messages such as the following:
- SAML certification validation failed.
- The digital signature in the SAML response did not validate with the identity provider's certificate.
- Admin can't add/remove/manage users or product profiles.
- Admins want to renew your SAML certificate, which is about to expire.
Cause
In a SAML exchange, the two entities that are involved are:
- Identity Provider (IdP)
IdP certificate is owned and managed by the customer inside their own IdP (ADFS, OKTA, Shiboleth) and is uploaded into the Admin Console. - Adobe, which acts as a Service Provider (SP)
Adobe entities are managed in the Admin Console and uploaded to the customer's IdP.
Both entities have their respective certificates, which are used to establish trust.
If you have set up SSO for your identity provider (IdP) with the Adobe Admin Console and your end users cannot log into their Adobe apps and services, the SAML certificate may have expired.
Admin Console notification
Adobe will inform you when an Adobe-generated certificate is set to expire or has expired with a banner notification in the Admin Console along with a status update per directory. To view the status of a SAML certificate, navigate to Settings > Identity Settings and review the Status column of the Directories tab.
Resolution
SAML Setup
If your certificates have expired or are about to expire, you can directly update the federation setup via the Admin Console. The SAML certificates are updated along with the SAML setup.
If your IdP does not check the validity of the certificate, no action is required.
As a System Admin, you can directly update and manage self-signed certificates from the Admin Console by following these steps:
-
-
Click Edit and then click Next.
-
View available certificates and their status. You can choose to generate a new certificate or a new certificate signing request.
Note:The self-signed certificate is more convenient and is in accordance with security best practices. It is recommended to opt for a self-signed certificate unless your organization has specific requirements that a self-signed certificate cannot satisfy.
-
Click Generate New Certificate.
A new SAML certificate will be generated within the selected federated directory for an active SAML configuration.
-
Create new signing request.
Click Create a certificate signing request.
In the dialog that displays, enter the following details of information from your certificate authority (CA):- Enter the details from your certificate authority.
- When choosing to create a new signing request, you must complete the process with your certificate authority (CA) for it to go into effect with the SAML certificate.
- Go to Actions and click Complete.
- Upload the certificate file from the certificate authority and click Complete, and then click Done.
Once a certificate is successfully created, additional actions will be available, including set as default, activate, deactivate, download metadata, download certificate, and delete.
If your IdP supports multiple certificates, follow these steps without any login interruptions.
-
Upload the new certificate in addition to the old one into your IdP.
-
Set the new certificate as default in the Adobe Admin Console.
-
Test login.
-
Remove the old certificate from your IdP configuration.
-
Disable/delete the old certificate.
It’s recommended to disable as deleting is irreversible.
If your IdP does NOT support multiple certificates you should pick a downtime interval to perform the renewal:
-
Upload the new certificate into your IdP.
-
Set the new certificate as default in the Adobe Admin Console.
-
Test login.
-
Disable the old certificate.
-
If you don't encounter any issue, delete the old certificate.
It's recommended that you wait for some time before deleting the old certificate since deleting certificates is irreversible.
Audit logs
Actions taken related to the creation and management of certificates can be found in the audit logs.
To view the audit logs, go to the Admin Console and navigate to Insights > Logs > Audit log.