Overview
ArcGIS Online Organization administrators that have enabled Signed and/or Encrypted Assertions in alignment with ArcGIS Online Best Practices for SAML Security need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their SAML Identity Provider (eg. Azure Active Directory Enterprise Applications with Token Encryption) before September 24, 2024 otherwise ArcGIS Online sign-ins with Enterprise (SAML) accounts will fail.
See Steps 1-2 below:
Step 1 – Download the updated metadata file from ArcGIS Online:
- Login to www.arcgis.com with your administrative credentials
- Click on “Organization” then “Settings” then “Security”
- Scroll down to “Logins” > “SAML login”, then click the “Download service provider metadata” link (as shown below.) This action will download the metadata file (which contains the updated certificate) which will be uploaded to your SAML Identity Provider.
Step 2 – Upload the metadata file into your SAML IDP:
- Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
- Upload the updated metadata file downloaded from ArcGIS Online to your SAML Identity Provider. See ArcGIS Online’s SAML IDP guidance for IDP specific instructions on how to register the service provider metadata XML with your IDP.
Administrators who have enabled the Best Practices for SAML Security feature: “Allow Encrypt Assertion” must also complete Steps 3-4 below:
Step 3 – Extract the certificate from the ArcGIS Online metadata file:
- Extract and validate the certificate within the metadata.xml file by copying the characters between the <X509Certificate> and </X509Certificate> tags, pasting the data to an empty file and saving it with a .cer extension.
Step 4 – Update the Token Encryption certificate within the Identity Provider:
- Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
- Supply the extracted certificate into the “Encryption” capability for the ArcGIS Online application. Refer to your SAML Identity Provider’s documentation for specific instructions on this workflow.
Troubleshooting
- Issue: When I attempt to sign in using SAML, I get the error message: “Unable to login using Idp. Error validating encrypted Assertion Unwrapping failed”.
Root Cause: The Identity Provider is encrypting the SAML Assertion using an expired certificate, or a certificate ArcGIS Online does not recognize.
Fix: Complete Steps 3-4 in the blog above. Then within the Identity Provider > SAML > Token Encryption configuration for the ArcGIS Online application, disable (or remove) previously configured or expired certificates.
Commenting is not enabled for this article.