Resolve Adobe 'Discontinued Support of Deprecated SHA-1 IdP Certificates' Issue
Problem
Adobe has reached out to you and informed you that you need to update your IdP Integration to utilize the newer SHA-256 Directories. The alert resembles the article posted on Adobe's website:
Solution
Create a new 'Directory' in Adobe as well as a new Relying Party Configuration for PortalGuard.
IMPORTANT NOTE: This update does NOT require creating a new Signing Certificate within PortalGuard, even if you are currently utilizing a SHA-1 'legacy' signing certificate. You should NOT update the signing certificate in PortalGuard without careful consideration, as this will beak most existing configurations.
Relevant Adobe Documentation:
Adobe has a documented process for 'Migrating SAML' integrations. This article covers the process outlined below in more detail, and should be seen as the authority if the two differ.
Solution Steps
In the Adobe Admin Console:
Navigate to 'Settings > Directories'.
Click 'Edit' for the directory with the problematic config (typically noted by a triangular 'caution' symbol).
From the 'Edit' screen, select the 'Add new IdP' button.
Select the 'Other SAML Providers' option and click 'Next'.
Copy the provided 'ACS URL' and 'Entity ID' for reference on the PortalGuard side of things.
NOTE: The 'ACS URL' and 'Entity ID' are going to be different from your existing configuration.
Scroll down and upload the PortalGuard Metadata file where requested.
Adobe requires this to be in '.xml' format. To generate this file, follow these steps:
Open a new browser tab and navigate to https://YOUR.PG.URL/sso/metadata.ashx
Be sure to replace 'YOUR.PG.URL' with the appropriate host name for your PortalGuard website.
This will prompt a file download. Locate the 'metadata.ashx' file on your system and rename it to 'PortalGuard_Metadata.xml'.
Upload this file - with the .xml extension - to Adobe.
Click the 'Save' button to commit these settings.
Back on the 'Edit Directory' screen, you'll see a new 'SAML Provider' marked as inactive.
Once the steps in the subsequent section are completed, you'll be able to use the 'Test' button to validate the integration.
On the PortalGuard Server:
Launch the Identity Provider Configuration Editor.
Locate the existing Adobe configuration and select it.
If you do not have an existing Adobe Configuration and/or this is your first time integrating with Adobe, please review our KB Article on Configuring SAML SSO Between PortalGuard and Adobe
Click the 'Copy' button on the right-hand side to duplicate that config.
Update the following information on the 'General' tab:
Name:
This should be any name that makes sense for this config (e.g. Adobe Updated). This is only seen through the Identity Provider Configuration Editor and as a filename for the back-end config.
Identifiers:
Click the 'Add' button and paste in the 'Entity ID' value from #5 above.
Assertion Consumer URL:
Replace the existing value with the 'ACS URL' value from #5 above.
Navigate to the 'Authorization' tab and click 'Add' to add a test user.
This will limit visibility of this configuration to only the users defined within this 'Authorization' tab. Doing so helps prevent any other users from seeing multiple adobe configurations on the SSO Jump Page while validation is ongoing.
Once the validation is confirmed and you are ready to proceed with using this config in Production, the 'Authorization' tab will need to be updated accordingly.
Save the new configuration.
Click the red 'Apply to Identity Provider' button and then click 'Sync' to apply these changes.
Validate the new IdP Configuration Within Adobe
Navigate to the Adobe Admin Console in an 'Incognito' or 'Private' browser session.
Be sure to follow steps #1 and #2 from the In the Adobe Admin Console section above to get to the appropriate page.
Click the 'Test' button on the new, inactive SAML Provider to validate the settings.
If you are not redirected to PortalGuard please ensure you are testing from an 'Incognito' or 'Private' browser session. This ensures a fresh PortalGuard session for testing.
If you see a generic, 'Error Occurred' message from adobe, similar to below, please try again.
NOTE: The 'Try Again' button doesn't appear to work in many cases. The best route would be to try in a fresh 'Incognito' or 'Private' window. Ensure no other 'Incognito' or 'Private' windows are open, as they share browser cache and the like.
Once you are redirected to PG, login with the test account listed in the 'Authorization' tab for the new configuration (as defined in Step #5 of the On the PortalGuard Server section above.
A successful validation should result in a similar message from Adobe:
Finalize the Change
To finalize the update, Adobe has some additional steps to ensure your domain is configured on their end appropriately. Not all customers will need to follow additional steps, but please read through the Adobe Admin Guide to ensure your domain requires no further configuration.
In order to switch your SSO from using the 'Deprecated' integration on the adobe side, you'll need to follow these steps:
Set the new SAML Provider as 'Active' within the Adobe Admin Console.
On the PortalGuard server, locate the 'old' Adobe configuration and disable it.
Edit the config an uncheck the 'Enabled' box on the 'General' tab.
Update the 'Authorization' tab of the new Adobe config within the Identity Provider Configuration Editor.
This can be done by removing the test user that was defined there and adding the appropriate ACLs to match the previous Adobe config.
NOTE: If the 'Authorization' tab is blank, that means all users who have access through PG can attempt SSO to this config.
Save the changes and Apply/Sync them to take effect.
IMPORTANT NOTE: You should not delete any configurations on either side until you have confirmed end-to-end functionality.