topic Re: Missing user profile in response from identity server. in ArcGIS Enterprise Questions

Missing user profile in response from identity server.

pocalipse — Fri, 11 Mar 2022 21:21:15 GMT

I'm trying to use KeyCloak as an external OpenID Connect authentication server for our internal ArcGIS Portal. Everything is connection but when I login and get redirected back to ArcGIS Portal I always get this error:

Did not receive 'user profile' parameter from the provider.

It seems that ArcGIS Portal doesn't call the user info endpoint so how do I fix this?

Best regards
Jens Christiansen

Re: Missing user profile in response from identity server.

Scott_Tansley — Fri, 11 Mar 2022 22:08:43 GMT

So I'm not an expert on SAML2 and I've only worked with ADFS, OKTA and Azure AD. That said the 'Required Information' (Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for ArcGIS Enterprise) for a SAML2 exchange between an IDp and ArcGIS Enterprise as a SP is quite light. Only the NameID is really required, which is often in the form of the email address.

Azure AD "just works" as the email is key to everything, but ADFS needs the admin to choose the right properties to send through configuration. It may be that an incorrect property is being sent as the NameID.

That's probably as much as I've got on the subject, but take a look at what's being sent. It sounds like Enteprise is expecting an email and getting something in another form like [domain\user].

Re: Missing user profile in response from identity server.

pocalipse — Fri, 11 Mar 2022 22:46:40 GMT

Hi Scott

Thanks for you reply and the SAML2 link.

However, I'm trying to use the OpenID Connect login but ArcGIS Portal just calls the authenticate endpoint and I login in the identity server and then is redirected back to ArcGIS Portal, just to get notified that user profile is missing.

The JWT returned in quite simple and I guess ArcGIS Portal should call the user info endpoint of my identity server to retrieve the information but it doesn't!

Best regards
Jens Christiansen

Re: Missing user profile in response from identity server.

essamadelali — Tue, 24 May 2022 06:35:46 GMT

Hi @pocalipse, have you managed to solve this issue? I am having the same issue on ArcGIS Enterprise version 10.9.1 (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server)

Note: "Send access token in the header" is On

Any suggestion?

Re: Missing user profile in response from identity server.

pocalipse — Tue, 24 May 2022 06:56:55 GMT

Hi @essamadelali

Unfortunately not!
However, I currently have an open support issue with Esri and I'm hoping they will come back with a solution very soon. If and when they do I will gladly provide you the solution 🙂

Re: Missing user profile in response from identity server.

essamadelali — Thu, 02 Jun 2022 05:34:39 GMT

Hi @pocalipse, have you received any updates from ESRI with regard to the support ticket you have opened?

This issue is driving me crazy, I have been testing on another environment, and it worked! details as follows.

The other environment is testing one (2 HA portals, but there are no federated servers), I have used the exact same Keycloak configuration for both environments. However, in my production environment, which I have sent about it before (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server) it does not work!

I have been trying to test and eliminate some doubts related to keycloak, trying to understand from where exactly the error stem from.

Keycloak side:

I have tried to connect to Keycloak APIs directly without any intervention from the portal, the results was good and eliminated the possibility of having issues related to request/response of keycloak (production).

I have tried to generate a token as follows:

curl -L -X POST 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<USERNAME>' \
--data-urlencode 'password=<MY_PASSWORD>' \
--data-urlencode 'scope=openid address web-origins roles email phone profile microprofile-jwt offline_access' \
--data-urlencode 'totp=<OTP_FROM_ANY_MOBILE_AUTHENTICATOR>'

It responded correctly with an access_token
then I used that access_token to call /userinfo API as follows:

curl -L -X GET 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer <GENERATED_TOKEN>'

It responded correctly with my user profile

Portal side:

I have traced the OpenID connect traffic there are 3 main requests as following:

First: Portal requests: oidc authorize >> set redirect url to keycloak to request the code

originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../authorize",
redirectURL: {
baseURL: "https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/auth?redire...",
redirect_uri: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin",
client_id: "<CLIENT_ID>",
scope: "openid address web-origins roles email phone profile microprofile-jwt offline_access",
response_type: "code",
state: "xxxxxxxxxxxxx"

Second: Keycloak requests: authenticate with user password or OTP >> set redirect url to portal with code, state & session_state

originator: "https://<KEYCLOAK_SERVER>/realms/.../login-actions/authenticate?session_code=xxxxxxxxxxxxxxxxxxxxxx&execution=xxxxxxxxxxxxxxxx&client_id=<CLIENT_ID>&tab_id=xxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/...",
state: "xxxxxxxxxxxxxxxx",
session_state: "xxxxxxxxxxxxxxxx",
code: "xxxxxxxxxxxxxxxxxxxxxxx"
},
Third: Portal requests: oidc signin with code, state & session_state >> set redirect url to portal account switcher with access_token

originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin?state=xxxxxxxxxxxxxxx&session_state=xxxxxxxxxxxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/home/accountswitcher-callback.html#access_token=XXXXXXXX"

This ☝ is the successful flow captured from the testing environment (2 HA portals). I have traced the production requests as well, and everything is being sent correctly redirect_uri, client_id, code, state, session_state, but Unfortunately the Third request does not return an access_token instead it returns the user profile error Did not receive 'user profile' parameter from the provider error

I don't know what's wrong with the production environment, is it because of the fact of having federated servers!

I believe I will open a support ticket as well!

--
Thanks,
Essam

Re: Missing user profile in response from identity server.

iceearth — Fri, 01 Nov 2024 17:50:02 GMT

Was a resolution ever found for this? I'm having the same issue when trying to authenticate with the Azure ArcGIS Portal app.
The authentication goes through but then the portal comes back with the "Did not receive 'user profile' parameter from the provider" error.
Portal version 11.3

Re: Missing user profile in response from identity server.

iceearth — Mon, 04 Nov 2024 13:00:25 GMT

For anyone having this same issue, I realized that I copied the URLs from the endpoint tab in Azure, instead of from the metadata URL.
Once I put in the correct URLs, it started working.

Re: Missing user profile in response from identity server.

Ítalo — Thu, 27 Mar 2025 10:16:43 GMT

I encountered the same issue on a Portal 11.3 instance using Keycloak 26.1.4. I tried various solutions, but none were conclusive, and I couldn't find any helpful documentation. However, I was able to confirm that, at least in my case, the issue was with the Portal itself. When I switched to another Portal 11.3 instance and followed the exact same steps, the error disappeared.

I also replicated the request simulation mentioned in this forum, but I reached the same conclusion as a fellow user: the requests work correctly, everything functions as expected, but the Portal seemingly fails to recognize them. It could be a configuration issue or something related to how the Portal is set up.

In any case, the only workaround I found was to implement it on a different Portal, which was an option in my scenario. If anyone discovers a definitive solution to this error and can share it here on the forum, that would be greatly appreciated! 🙂

Re: Missing user profile in response from identity server.

MatejVrtich — Mon, 31 Mar 2025 06:27:18 GMT

I had the same issue and I think the problem was the availability of the identity provider url from the portal machine itself. I can't remember exactly if it was just for the ArcGIS service account or the machine itself. Try fetching the Keycloak URL as an ArcGIS service account user from the Portal machine to ensure that the IDP is accessible.

Regards,

Matej