Adobe Federated IDs and Creative Cloud - Issue with Blank Logon Window
This may not be an Okta issue, but I wanted to see if anyone has seen something similar. We are opening a call with Adobe.
We recently federated Adobe CC with our own Okta org IdP and are testing. When using adobe.com to login, we seem to have no issue getting the Okta logon screen and authenticating. However, we're having a problem using the Desktop clients (Photoshop, Illustrator, etc.) on both Mac and PC workstations. Namely, the first time we download the software and log in to the service via the software, everything is fine. We get the Okta logon screen and can authenticate. However, if we log out in the software and then attempt to log back in (any Adobe CC app, Help -> Sign In) we get the typical SP initiated Okta "Connecting to" window but no way to log in... the window is blank. This happens regardless of PC or Mac, and the window itself isn't really a browser window, but is labeled (in this example of PS on a PC) Adobe Photoshop CC 2017 (the process seems to be PDApp.exe).
There is a round-about way to get logged back in to Photoshop so this issue is very easy to duplicate and test. Any ideas or has anyone seen something similar? It will help with our support call to Adobe. Thanks for the help.
This definitely sounds like, and as you stated, a question where Adobe would be able to provide more insight. If authentication is successful the first time, this tells us that you're integration with Okta and Adobe is likely good, othewise authetnication would not be successful. Typically, rich-clients will need to be built in a way to handle other authentication types. As an example, Microsoft has built their rich-clients (Outlook and other Office apps) to allow authentication to Office 365 when federated to a third-party identity provider with a technology they call "Modern Authentication". Box is similar, as you'll see applications like Box Sync show an embedded browser for SAML authentication. I suspect this is an issue with the Adobe rich-clients. A Fiddler trace might provide more insight, as we could validate if authentication requests are even going through, or if it may simply be a display issue.
Thanks Adam. Yes, Federation is working as expected. The problem only manifests itself when a user signs out of their Adobe Federated ID from within the rich-clients and then attempts to log back in with the same or differert Federated ID. This is very likely not something that happens very often, if at all in normal use of the CC applications but found during testing.
In preparing my support ticket for Adobe, I have found the root cause being the New Sign-In Page experience being enabled in our Okta organization. When I turn this off and go back to the old sign in page experience, the problem is no longer present.
This still suggests the problem is on Adobe's end, and I still intend to submit my ticket to them asking them for confirmation and to fix the problem (if they are not already aware). We like the new sign-in page experience and prefer not to disable it just to deal with a problem that may not manifest in regular production use.
If I don't get anywhere with Adobe, it might be nice if Okta leaned on Adobe a bit as well, and I have a ticket opened with Okta support that perhaps might help with that.