POST
|
Logged as: BUG-000166664: There is a security issue because of Portal for ArcGIS SAML logout behavior: it does not propagate logout to identity provider and as a consequence, users remains logged in which is a security vulnerability
... View more
2 weeks ago
|
0
|
0
|
31
|
POST
|
It's really weird, the bug does not evolve... Still being analyzed while support was able to reproduce... I am afraid it won't even make it to 11.3 at this speed...
... View more
3 weeks ago
|
0
|
0
|
105
|
POST
|
Hello, Many users in my organization are complaining about a security issue because of Portal for ArcGIS SAML logout behavior: it does not propagate logout to identity provider and as a consequence, users remains logged in which is a security vulnerability. I noticed the following: "Propagate logout to Identity provider" only works if logged in directly on Portal for ArcGIS (ie: OAuth client id ="arcgisonline"). If you are logged in on Portal for ArcGIS through an OAuth application (ie: OAuth client id ="o8WEYheNpQcE2dwwh"), then when signing out from another application, Portal for ArcGIS does not propage the logout and instead displays the following window: Let's illustrate this workflow with the diagram below: source: https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02_html_m50a2ba3e.gif Let's say "sp2.example.edu" is Portal for ArcGIS. 1. Working scenario when logged in directly on Portal for ArcGIS: User is logged in on both Portal for ArcGIS and sp1.example.com and the user request a global logout from sp1.example.com. At step 3, Idp make a POST to sharing/rest/oauth2/saml/signout and the reply is the following: <!DOCTYPE html>
<html>
<head>
<title>Posting request..</title>
<link href="/geoportal/sharing/rest/files/gw.css" rel="stylesheet" type="text/css"/>
<script language="javascript">
window.onload = function(e) {
document.forms[0].submit();
};
</script>
</head>
<body>
<form name="f" action="https://idp.example.org/auth/realms/company/protocol/saml" method="post">
<input type="hidden" name="SAMLRequest" value="foo" />
<input type="hidden" name="RelayState" value="bar" />
</form>
</body>
</html> Note the form that will POST to Idp with "SAMLRequest" and "RelayState" parameters in order to sign out from Idp. It corresponds to step 4 and it works. Now, let's compare it with the broken scenario: 2. Broken scenario when logged in indirectly on Portal for ArcGIS through an OAuth application: User is logged in on Portal for ArcGIS indirectly through an OAuth application and on sp1.example.com and the user request a global logout from sp1.example.com. At step 3, Idp make a POST to sharing/rest/oauth2/saml/signout but this time the reply is the following: <html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="referrer" content="origin">
<title>Sign In</title>
<script src="/geoportal/sharing/files/scripts/detector.min.js?__ARTIFACTID__"></script>
<link rel="stylesheet" href="/geoportal/sharing/files/css/site.min.css?__ARTIFACTID__">
<script src="/geoportal/sharing/files/scripts/theme.min.js?__ARTIFACTID__"></script>
<script>
var oAuthInfo = {"contextPath":"/geoportal/sharing","originSignin":false}
window.setTheme(oAuthInfo, "/geoportal/sharing");
</script>
<script src="/geoportal/sharing/files/scripts/oauth2.js?__ARTIFACTID__"></script>
</head>
<body>
<div class="content"></div>
</body>
<script>
oAuthInfo.locale = ((oAuthInfo.locale && oAuthInfo.locale === "iw") ? "he" : oAuthInfo.locale);
require.config({
baseUrl: "/geoportal/sharing/files/scripts/",
locale: oAuthInfo.locale && oAuthInfo.locale.toLowerCase() || ""
});
require(["signout-new", "domReady!"], function (signUp) {
signUp.startup(oAuthInfo);
});
</script>
</html> which ends up to the page "You have been successfully signed out". So coming back to our diagram, there is no longer a POST back to IDP and the logout process from IdP is broken in the middle because of Portal for ArcGIS. As a consequence, users are still logged in and as mentionned in the documentation: If the user's web browser cache is not cleared, attempting to immediately sign back in to Portal for ArcGIS using the enterprise login option will result in an immediate login without needing to provide user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public. Note that if you disable the "Propagate logout to Indentity Provider" option, you will have the same phenomena as in "Broken scenario when logged in indirectly on Portal for ArcGIS through an OAuth application" when logged in directly to Portal for ArcGIS. As a conclusion, to me, the option "Propagate logout to Indentity Provider" should apply for all oauth client application ("argisonline" and all the others) and not solely to Portal for ArcGIS client. Anybody else observing the same phenomena ? Any comments ? Did I miss anything obvious ? Thanks, Nicolas /cc @CedricDespierreCorporon
... View more
03-21-2024
12:51 AM
|
0
|
1
|
319
|
POST
|
Hello @ChristopherPawlyszyn , It's been 4 months since your last reply and after days/weeks of trials I still can't restore our production ArcGIS Enterprise neither upgrading. Workaround does not work as mentionned several times. Support has given up on me with the workaround. Any progress ? Hints ? Timeline ? Thanks, Nicolas /cc @CedricDespierreCorporon
... View more
03-18-2024
03:24 AM
|
0
|
0
|
168
|
POST
|
Hi @Noah-Sager, Thanks for your reply. Seems like sample is now fixed and using latest 4.29.4, it's now working out of the box. Thanks
... View more
03-04-2024
11:37 PM
|
1
|
0
|
135
|
POST
|
Hello, Upgrading to 4.29, I noticed that search with custom sources is broken: https://developers.arcgis.com/javascript/latest/sample-code/widgets-search-customsource/ After selecting a result from suggestion, it does not zoom to it and the following error is logged: message: "Cannot select without a source." Returning the `sourceIndex` property in the `searchResult` fixes it but is not documented: https://developers.arcgis.com/javascript/latest/api-reference/esri-widgets-Search.html#SearchResult Thanks, Nicolas
... View more
02-29-2024
12:22 AM
|
0
|
3
|
218
|
POST
|
Hi, Faced the same issue. It can be fixed by increasing the Maximum Image Height and Width in pixels at the Map Service level: The fact that it is shifted in the JS API is due to the fact that it asks for an image size that satisfies these limit s though it does not cover the full screen once generated. Phenomena observed using ESRI Maps SDK for javascript 4.27.
... View more
02-09-2024
09:04 AM
|
0
|
0
|
165
|
POST
|
Seems more like a Portal for ArcGIS issue to me than datastores. What is not displayed correctly is the result of the following URL: /sharing/rest/search. Did you maybe try to reindex (portaladmin/system/indexer/Reindex ?). How does your Portal for ArcGIS content folder look like ? Was it successfully restored (ie: can browse your items and find the thumbnails and so on) ? Disclamer: just trying to help by throwing ideas, not working for ESRI !
... View more
02-05-2024
08:41 AM
|
0
|
1
|
496
|
POST
|
TLDR for new readers stumbling upon this long thread and facing the same issue. BUG-000162528 - Upgraded scene layers cannot be restored to a replicated deployment at ArcGIS Enterprise version 11.1. The official workaround is this one: The following changes should be performed on all ArcGIS Data Store machines with the tile cache data store configured:
Modify the 'tilecache_backup_type' property in '<arcgisdatastore>/etc/datastore.properties' to 'REPLICATION_BACKUP'.
Restart the ArcGIS Data Store service.
Once the changes are complete for the machines in the site:
Take a new backup from the primary deployment.
Restore to the secondary deployment.
Verify scene layers are accessible on the secondary deployment. But as you may read in this thread in more details, I was never able to make it work. Also, I do get the get the same issue at 11.2 so I think the BUG title should be updated as well.
... View more
01-30-2024
01:23 AM
|
0
|
0
|
999
|
POST
|
Hi @AndersAh , No info on my side. What I can tell is that the bug is still "in review" on My ESRI (ie: "The issue is being reviewed. The review process ensures that the issue contains all necessary information and is easy to understand, that it is not a duplicate of an existing issue, and that it is a valid bug or enhancement request") which is quite strange for these kind of obvious bug (ie: easy to reproduce). But enabling administrative access of ArcGIS Server's web adaptor should not prevent it from working. I think you must have another issue. On my side, as a temporary workaround, I enabled administrativ access on the webadaptor and disabled external access of admin and manager URL at reverse proxy level to solve this issue and everything is now working fine. What do you mean by ArcGIS Server stop working ?
... View more
01-03-2024
09:23 AM
|
0
|
1
|
486
|
POST
|
Hi @Trevor_Hart , Good news ! The patch is now available: https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-11-1-sharing-patch
... View more
12-19-2023
10:29 PM
|
1
|
1
|
296
|
POST
|
Hi @ChristopherPawlyszyn , Any update ? Any idea why is the workaround not working in my case ? Thanks
... View more
12-18-2023
09:20 AM
|
0
|
0
|
489
|
POST
|
Thanks @JonEmch for your reply and announcement. Regarding your question, I was just trying to evaluate the problem of having patch B installed. A defect has been identified in the Portal for ArcGIS Enterprise Sites Security Patch or if you have installed this patch, it is critical to not install any additional Portal for ArcGIS patches or hot fixes, uninstall any Portal for ArcGIS patches including this defective Portal for ArcGIS Enterprise Sites Security Patch, or uninstall or upgrade your Portal for ArcGIS environment or is also causing an impact (I would not get into much details) or I can confirm that we are responding to a significant issue with the Portal for ArcGIS Enterprise Sites Security patch (B on 11.1) on ArcGIS Enterprise 10.8.1, 10.9.1, 11.1 running on Windows. If you have this patch installed, there is tooling coming that will fix this issue. sounded scary. Hope it's clearer. Thanks
... View more
12-12-2023
02:44 PM
|
1
|
0
|
714
|
POST
|
Many thanks for all your valuable inputs @DavidColey and @JonEmch. So what is the best path to follow if we installed it ? Uninstall or wait for the “tooling” to be made available ? What is the risk of this patch? Any known issue we should be aware of ? thanks
... View more
12-12-2023
01:07 PM
|
1
|
3
|
742
|
Title | Kudos | Posted |
---|---|---|
1 | 03-04-2024 11:37 PM | |
1 | 12-16-2020 09:53 AM | |
2 | 01-30-2024 01:15 AM | |
2 | 03-23-2022 11:56 AM | |
1 | 11-24-2023 07:43 AM |