SSO - 11.2
I am trying to get SSO (SITEMINDER) working with an 11.x on premise version of Adobe Connect. I have followed the instructions to activate the SSO option in the adobe connect backend and I have imported the xml file from our SSO system successfully into Adobe Connect and the correct domain Idp name is showing up.
Do I also have to follow the guide on this page https://helpx.adobe.com/au/adobe-connect/installconfigure/configuring-single-sign-on-sso.html? This is the only thing we have not yet done and so far SSO does not seem to be active.
When SSO is correctly configured what is the new workflow for connecting to Adobe Connect, I am assuming that the usual login page opens but at which point the is the user redirected to the SSO providers login page? Is it when they start typing their login or is there a button that's added to the interface to redirect them?
How are user privilges assigned to accounts that come though the SSO backend and do we still have to import accounts or are they auto provisoned when logging in?
Re: SSO - 11.2
That SSO page is an old page that doesn't address the built in SSO workflow that is available in Connect 10+.
Once you have SSO enabled, the work flow is that someone goes to the Adobe Connect login page and if they enter an email that ends in the domain you specified on the the SSO configuration page, then it sends the user to your IDP for authentication. If a user enters and email that doesn't end in your specified domain or a login that isn't an email, then Connect will never send the user to your IDP for authentication.
If the user is sent to your IDP and they return authenticated, then Connect uses the email in their SAML response to 'know' who that user is. If the user account with that email/login has privileges within Connect, then they will get them once logged in.
Here is the article I'd keep handy for configuring and managing the SSO in Connect, https://blogs.connectusers.com/connects … allations/.
I hope that helps clarify.
Re: SSO - 11.2
Thank you Jorma, that does help clarify somewhat.
Just to be sure: can the IDP domain name can be different from the domain configured on the connect server?
Do users have to type just the login then hit enter, login and password and hit enter or they automagically whisked away to the SSO connexion page as soon as they've finished typing the email with the username@domain without hitting enter?
Do you see any issues if the login on the SSO is not an email address?
Re: SSO - 11.2
The user needs to type their email and then either press enter or tab or click out of the login field on that page. If you configured Adobe Connect to look for the domain their email ends in then, the SSO workflow is initiated. So, if on the SSO page you configure the Domain Configuration field to look for mycompany.com, then if the user enters their email as firstname.lastname@example.org in the Connect login page, they will be passed to the IDP to authenticate and come back to Connect. If they enter their email as email@example.com, they will not be sent to the IDP and be expected to login with the standard Adobe Connect UN/PW process.
When you enable the SSO in Connect it does force the login to be email, so you don't have the option to do custom mapping of alternate logins within Connect.
Unfortunately, this SSO workflow is very inflexible. So if you need to use something other than emails as logins or a more intuitive or dynamic login process, a 3rd party SSO solution would be needed.