On November 2, 2018, ArcGIS Online's signing and encryption certificates have been updated.
ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate is due to expire on November 14th, 2018 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until Nov 13, 2018.
Action: Users who have enabled the advanced options 'Enable Signed Requests' and/or 'Encrypt Assertion' will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before November 14, 2018.
Customers using these advanced options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account.
To obtain the updated metadata file:
a. Login to www.arcgis.com with your administrative credentials
b. Click on "Organization" then "Settings" then "Security"
c. Scroll down to "Enterprise Logins" then click the "Get Service Provider" button.
- This action will download the metadata needed for your IDP.
An email containing the following text has already been sent to ArcGIS Online Organization Administrators:
"ArcGIS Online will be updating its SAML signing and encryption certificates on November 13th, and we need you to take action to ensure your organization can continue to use your Enterprise Identity Provider (IDP).
This certificate is necessary when an Organization has enabled signed requests or encrypted assertions.
To enable your IDP to discover our new certificates, you will need to re-register ArcGIS Online as your trusted services provider.
The process for this varies by the SAML identity provider used, but tutorials on how to do this can be found in our documentation within the section titled 'Register ArcGIS Online as the trusted service provider'.
Esri has documented this process for these popular Identity Providers:
ADFS
NetIQ
Okta
OpenAM
Shibboleth
SimpleSAML
If you have any questions, please contact technical support."
Esri Support Services has released a KB article describing this issue. See:
Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal
