SAML Identities are missing email value in response from /portal/self

Anonymous User — Mon, 26 Oct 2020 21:12:01 GMT

Use Integrated Windows Authentication with your portal—Portal for ArcGIS | Documentation for ArcGIS Enterprise We've run into a recent snare with the email fields of AGOL Identities coming back empty on identities created via a SAML integration.

Our OAUTH2 integration relies on the portal/self endpoint to garner certain identifying information about the Identity during self registration, including the identity's email. But as mentioned, we're seeing a few cases when that property is empty. Here for example, is the response for a AGOL Organization Identity created via a Windows AD SAML integration, anonymized with dummy data to protect our customer.

"user": {
"username": "alice@domain.com_shortname",
"id": "ef7fe35ccaf148ce87c1d00eeeaec89c",
"fullName": "Alice Smith",
"firstName": "Alice",
"lastName": "Smith",
"preferredView": null,
"description": "WINAD-test-user",
"email": "",
"userType": "both",
"idpUsername": "alice@domain.com",
"favGroupId": "a466ddf5b8d942779a95f60b85f39001",
"lastLogin": 1603741422000,

...

}

This compared to the following responses from my Organizational user (Azure AD SAML), and another Public Identity used for testing (anonymized)

SAML User from Azure AD	Public User
"user": { "username": "phunter_Latitudegeo", "id": "269cb6575e756ba993cb046a795d8e", "fullName": "Paul Hunter", "firstName": "Paul", "lastName": "Hunter", "preferredView": null, "description": "", "email": "phunter@latitudegeo.com", "userType": "both", "idpUsername": "phunter", "favGroupId": "58e4755056a54bfb4054e4baa1f175", "lastLogin": 1603735829000, ... }	"user": { "username": "paulhunter", "id": "095ae5b1b9edba9feaaf39e9362510", "fullName": "Paul Hunter", "firstName": "Paul", "lastName": "Hunter", "preferredView": null, "description": null, "email": "phunter@geocortex.com", "userType": "both", "idpUsername": null, "favGroupId": "98a97944a25941a4944830abd5a0b2", "lastLogin": 1603745421000, ... }

SAML User from Azure AD

Public User

"user": {
"username": "phunter_Latitudegeo",
"id": "269cb6575e756ba993cb046a795d8e",
"fullName": "Paul Hunter",
"firstName": "Paul",
"lastName": "Hunter",
"preferredView": null,
"description": "",
"email": "phunter@latitudegeo.com",
"userType": "both",
"idpUsername": "phunter",
"favGroupId": "58e4755056a54bfb4054e4baa1f175",
"lastLogin": 1603735829000,

...

}

"user": {
"username": "paulhunter",
"id": "095ae5b1b9edba9feaaf39e9362510",
"fullName": "Paul Hunter",
"firstName": "Paul",
"lastName": "Hunter",
"preferredView": null,
"description": null,
"email": "phunter@geocortex.com",
"userType": "both",
"idpUsername": null,
"favGroupId": "98a97944a25941a4944830abd5a0b2",
"lastLogin": 1603745421000,

...

}

Can anyone on the ArcGIS Online team confirm if this is expected behaviour for some Federated/SAML configurations, or perhaps a bug?
~ See amendment 2, some configuration documentation states email is not required although recommended.

Emails on identities connected via SAML can't be updated through the AGOL Portal, so presumably its referencing the identity providers records - perhaps if the mail attribute was missing on the Windows AD User for example, then the email property from the self endpoint would also be empty?

Seperately, if the email is updated on the identity provider's side, does AGOL pickup on this update?

~ Yes, if 'Update profiles on sign in' is turned on under Advanced Settings for the SAML Connector.

--Paul

Amendment 1
- Customer does not see an email listed on their organization's user page (https://shortname.maps.arcgis.com/home/user.html#settings)

- Customer confirms AGOL is integrated with a custom SAML provider - I suspect this is the source of the issue.

Amendment 2 - DYRTM?

- ArcGIS Online docs on ADFS setup suggest Email is optional in SAML configurations - "It's recommended that you pass in the email address from the SAML IDP so the user can receive notifications" - https://doc.arcgis.com/en/arcgis-online/administer/configure-adfs.htm, under Required Information, para 2.
- Other SAML/Windows AD Configuration imply email is required through example. - https://doc.arcgis.com/en/arcgis-online/administer/saml-logins.htm / https://enterprise.arcgis.com/en/portal/latest/administer/windows/use-integrated-windows-authentication-with-your-portal.htm

- SAML connectors have an advanced option 'Update profiles on sign in'. This option, when enabled, would be a suitable fix for SAML identities created prior to a valid Email mapping being added, that later want to have an email associated.

topic SAML Identities are missing email value in response from /portal/self in ArcGIS Online Questions

SAML Identities are missing email value in response from /portal/self