Adobe deprecating the use of SHA-1 and SHA-256 Pilot certificates with Identity Providers (IdPs)

Darren WallacemacOS, Maintenance

Introduction

Adobe has updated their user identity setup knowledge base article to announce IdP integrations configured with SHA-1 or SHA-256 Pilot certificates are deprecated, and support will be removed from October 31, 2020. 

On July 16, 2020, Adobe sent out ‘action required’ emails to administrators of affected Adobe admin consoles. This should be actioned at the earliest opportunity.

The message

To Systems Administrator:

As of October 31, 2020, Adobe will discontinue support of deprecated SHA-1 certificates for federated directories within Adobe Admin Consoles. It has been confirmed that your organization has one or more federated directories utilizing a deprecated SHA-1 certificate, or a directory that was converted as part of the SHA-256 Pilot, that requires migration prior to the support expiration.

Migration of federated directories to SHA-256 protocol aligns with industry standard, providing a more secure and direct integration with Adobe of your directory’s authentication profiles. A self-service feature is available in the Adobe Admin Console that allows your organization to seamlessly migrate from a SHA-1 to a SHA-256 certificate requiring no down time and the ability to test prior to integration. With this solution, you can leverage the same directory as well as integrate directly with your identity provider, such as Azure, Google or any SAML 2.0 provider. Within the Admin Console, any directories with a SHA-1 or SHA-256 Pilot certificate are now indicated with an icon and banner notification to alert your administrators to which directories require an update. Learn more about the migration process and steps to proceed here.

What is this about?

For Adobe’s Named User License (NUL) and Shared Device License (SDL), end users are required to log into an Adobe ID in order to use the Adobe Suite on their devices. To make this process simpler, an administrator can link their Identity Provider (IdP) to the Adobe Console. This allows easier user provisioning and a unified authentication experience for end users. 

When configuring the IdP integration, certificates are used to help secure the communication between Adobe and the provider. In some cases these certificates may have been created as SHA-1 or SHA-256 Pilot. These are considered less secure and Adobe is removing support for these from October 31, 2020.

How do I find out if I need to do anything?

If you have received an email to your Adobe admin console with the subject line “ACTION REQUIRED: Discontinued Support of Deprecated IdP Certificates” you will be affected.

Additionally, if you log into your Adobe admin console, navigate to “Settings” > “Identity” and you will be shown a warning message similar to the one below if you are affected:

What do I need to do?

As soon as possible, it is strongly recommended you follow the Adobe migration steps to update your certificate for IdP communication. These steps can be found here – Migrate to new authentication provider

By attempting the migration now, you leave plenty of time should you encounter any issues or delays. If you are finding the migration process anything but easy, please log a support case with Adobe support for assistance.

More Information