topic Re: Configure OpenID Connect logins in ArcGIS Enterprise Portal Questions

Configure OpenID Connect logins

RomanBoros — Mon, 07 Jun 2021 09:38:03 GMT

Hi,

We are trying to setup an OpenID Connection to our ArcGIS Online.

All the necessary configurations were done on our Identity Provider and in the ArcGIS Online admin panel.

The button appeared on the login screen and after pressing we are redirected to the Identity Provider. After successful authentication the server redirects back to the portal and an error message is displayed.

Did not receive 'user profile' parameter from the provider.

Can you provide more details what might be the problem?

This is the response format that the identity provider returns from the user info endpoint

As Identity Provider we are using Identity Server 4.

The grant type for this client is authorization_code

We tried looking into documentation, but there is nothing about this error.

Thanks for your help.

Re: Configure OpenID Connect logins

TomRussell1 — Tue, 08 Jun 2021 05:29:12 GMT

I'm facing the same issue using the Keycloak IDM, we had previously used Keycloak's SAML integration but would like to transition to OIDC to align with other applications in our environment

Re: Configure OpenID Connect logins

RomanBoros — Tue, 08 Jun 2021 08:41:30 GMT

Unfortunately, SAML is not an option for us at the moment.

Our guess is they are expecting some non-standard parameter to be returned in the token.

Re: Configure OpenID Connect logins

ChristopherPawlyszyn — Thu, 10 Jun 2021 15:38:40 GMT

That error message typically means that the scopes are not being released to the service provider. Depending on whether you've specified those scopes in the OIDC configuration for ArcGIS Online/Portal for ArcGIS, you may need to remove them and potentially add other scopes if your provider is not set to allow the listed scopes to the service provider for the registered application.

Re: Configure OpenID Connect logins

RomanBoros — Thu, 10 Jun 2021 19:41:58 GMT

I do not think that is the case.

In the OIDC configuration we have "openid email profile" and I can confirm that the client in the Identity Server is setup in the way to allow those scopes.

Re: Configure OpenID Connect logins

ChristopherPawlyszyn — Fri, 11 Jun 2021 11:48:02 GMT

Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.

Re: Configure OpenID Connect logins

RomanBoros — Fri, 11 Jun 2021 12:31:59 GMT

Should I look for that option in the ArcGIS Online/Portal or on the Identity Server?

On the server the closes thing there is this parameter and that is set to true.

Re: Configure OpenID Connect logins

RomanBoros — Mon, 14 Jun 2021 10:58:42 GMT

After another attempt we found that parameter.

Setting that to true was the solution.

For anyone still wondering, you can find that at the bottom, when you try to edit the configuration.

Organization -> Settings -> Security -> Logins-> Configure login

Re: Configure OpenID Connect logins

MarkCederholm — Wed, 17 Nov 2021 15:02:10 GMT

I'm playing around with IdentityServer4 as an OpenID Connect source, and I am getting the same "user profile" error, although it works fine for a MVC client that uses the same parameters as ArcGIS Online. Next I created a custom IProfileService implementation to see if it's actually being called, and again it works fine for the MVC client, but with AGOL only IsActiveAsync is being called (and returning true); GetProfileDataAsync is never called.

Re: Configure OpenID Connect logins

pocalipse — Fri, 11 Mar 2022 22:11:05 GMT

Hi Mark

Did you find a solution for the OpenID problem - I have the exact same issue using KeyCloak!

Re: Configure OpenID Connect logins

HaraldLund — Thu, 31 Mar 2022 08:18:21 GMT

Hi,

As I understand, you were able to use IdentityServer4 as an OpenID Connect IDP and connect ArcGIS Online with your IDP. By checking the "Send access token in header" seemed to help you out. Unfortunately, this approach does not solve this issue for my setup. I have used the IdentityServer4 QuickStart sample and just for now is using the in-memory user store. Trying to check the mentioned checkbox, making sure that the claims is sent with the access token setting the AlwaysIncludeUserClaimsInIdToken = true, for the client setup does not help. I still get the message "Did not receive 'user profile' parameter from the provider."

I have successfully managed to set up Okta as an OpenID Connect IDP. It does not seem to me that userinfo endpoint is ever called from ESRI, even when the configuration does not have specified the JWKS URL and added the usserinfo URL.

What else have you configured with your IDP, @RomanBoros?

Re: Configure OpenID Connect logins

HaraldLund — Thu, 31 Mar 2022 08:28:45 GMT

This will probably not help you directly, but I have a customer who were able to setup KeyCloak with ArcGIS Portal 10.9, but I do not have any details on the configuration. But when I was setting up the Okta setup, I also struggled with this error. I ended up with not checking the "Send access token in header", setting the UserInfo URL to empty but filling out the JWKS url. With the Okta configuration I uses Client Credential and Authorization Code. I also had to make sure the Claims where mapping correctly. I also have a sub claim added.

Re: Configure OpenID Connect logins

pocalipse — Thu, 31 Mar 2022 10:10:26 GMT

I think my problem is exactly the mapping - did you manage to figure out what claims ArcGIS is expecting?

Re: Configure OpenID Connect logins

HaraldLund — Tue, 05 Apr 2022 09:04:09 GMT

Hi,

These are the claims you need:

name
nickname
given_name
middle_name
family_name
email

Re: Configure OpenID Connect logins

JoshuaAbbott — Tue, 12 Apr 2022 14:51:18 GMT

Did you get this working? I am also using IdentityServer4 and I see the same "Did not receive 'user profile' parameter from the provider." error, though I have tried all the suggestions in this thread. I see that later you give a list of claims that ArcGIS expects, but, as @MarkCederholm says, GetProfileDataAsync is never called, so I'm not sure that the claims are the problem.

Re: Configure OpenID Connect logins

HaraldLund — Tue, 12 Apr 2022 15:24:43 GMT

Hi @JoshuaAbbott,

Unfortunately we weren't able to get this to work with ArcGIS Portal 10.9.1. But using the exact same IdentityServer application with ArcGIS Online that also supports PKCE flow, it works. So I suspect that there is a problem with 10.9.1. It would be nice if Esri would be able to support the latest security demands also with ArcGIS Portal 10.9.x and that there were possibilities to manage some mapping and handling of custom scopes and claims. With more and more demands to be able to support the latest secure architecture using OpenID Connect I think it is essential that Portal would support this. I also missing how samples and documentation of how the mapping is done now.

One other thing I'm unsure of is if we would be able to authenticate an user with the federated IDP, and use the token to access the items the user is authorised to use. Or do we always have to trigger the authentication by accessing Portal first and to be redirected to the IDP?

Re: Configure OpenID Connect logins

JoshuaAbbott — Tue, 12 Apr 2022 17:34:43 GMT

Many thanks for the response. I agree that they should include support in 10.9.1 since PKCE is now the industry standard. I am using a version of ArcGIS that supports PKCE and I am still seeing that error, that I hope you might be able to shed some light on. Below is my client setup with sensitive info redacted. Also, when configuring the Login on ArcGIS, it asks for a "Provider Issuer ID" is this just the domain of the identity provider? For example I just have "https://localhost:44360". Again, thanks for your collaboration.

{ ClientId = "arcgis-client", ClientName = "API Client", AllowedGrantTypes = GrantTypes.Code, RequirePkce = true, RequireClientSecret = false, // obsolete with PKCE AllowOfflineAccess = true, AlwaysIncludeUserClaimsInIdToken = false, RedirectUris = new string[] { "REDACTED" }, PostLogoutRedirectUris = new string[] { "REDACTED" }, ClientSecrets = new Secret[] { new Secret("REDACTED".Sha256()) }, // Not used, but ArcGIS asks for it AllowedScopes = new string[] { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, IdentityServerConstants.StandardScopes.Email } }

Re: Configure OpenID Connect logins

HaraldLund — Tue, 12 Apr 2022 18:37:04 GMT

As issuer I also have used the same as you. Have you tried to set this to true?

AlwaysIncludeUserClaimsInIdToken = true

If you're using a version supporting PKCE, isn't that ArcGIS Online?

I see you also use a local host for testing. Just wondering if there is an issue if your server isn't reachable for the ArcGIS installation, but the communication should be with in the browser session, if I have understood this correctly.

Re: Configure OpenID Connect logins

JoshuaAbbott — Wed, 13 Apr 2022 16:07:46 GMT

Yes, I'm using ArcGIS Online with PKCE support. I have "Include Token in Header" enabled and I have tried

AlwaysIncludeUserClaimsInIdToken = true

still without success. I do not think the issue is the communication to localhost, since it does redirect to the sign in page of my Identity Provider, the user is authenticated and then returned to ArcGIS with the access token. It is then that ArcGIS shows that error about "no user profile parameter".

Update: @HaraldLund I did have to have it running at a publicly accessible URL, so after hosting it on IIS everything worked out fine.

Re: Configure OpenID Connect logins

HaraldLund — Tue, 19 Apr 2022 11:49:33 GMT

Great you managed to solve it, that was my next step for my testing as well. Was also looking into Keycloak but ended up with same error. I will go back to testing with a accessible URL with IdentityServer, even though using KeyCloak may reduce the development time.