topic Re: SAML-based enterprise groups in Portal not working? in ArcGIS Enterprise Portal Questions

SAML-based enterprise groups in Portal not working?

ShelbyZelonisRoberson — Thu, 06 Sep 2018 12:44:13 GMT

I've had a ticket with Esri for the past few months trying to figure this out, but wanted to throw it out to the community to see if anyone else is having the same problem.

I have Portal 10.6.1 and am trying to create Portal groups that are tied to enterprise SAML-based groups. I've followed all instructions here Create groups—Portal for ArcGIS (10.6) | ArcGIS Enterprise under the SAML-based IDP section, but still can't get it to work.

Here's what happens: I create a group in my Portal (e.g. "Test Group") and set it to only be able to be joined by Members of an Enterprise Group. I type the name exactly of my SAML-based enterprise group (e.g. "SAML_Test_Group") to link to "Test Group". My enterprise username is a member of "SAML_Test_Group", so in theory I should be able to log into the Portal, see the "Test Group", and be able to share content into it. Here's where the problem is. I can see the "Test Group", but I cannot share any content into it. I've tried adjusting every group setting possible, and also have had many other people try a similar workflow. On the SAML side of things, our IT group sees the SAML assertions when I access the group, so I think everything is working properly on that side of things. I think it's in the Portal where something is going wrong.

I've been going back and forth with Esri tech support unsuccessfully for a few months. I was wondering if anyone else is having the same issue? Or is it working for you? I've searched GeoNet and can't find anything related.

Thanks!

Re: SAML-based enterprise groups in Portal not working?

DanielUrbach — Tue, 25 Sep 2018 05:11:24 GMT

When you say you can see the group, is that under "My Groups" or "My Organization's Groups"?

What attribute name are you using for the attribute chosen for group membership (e.g. <Attribute name="Group"> in the SAML response)

-Danny

Re: SAML-based enterprise groups in Portal not working?

ShelbyZelonisRoberson — Tue, 25 Sep 2018 12:21:25 GMT

Danny - I meant to update this post. I recently came to a resolution with tech support. There is a bug on Esri's end that requests SAML:1.1 for the nameid instead of SAML:2.0. Hoping it gets fixed soon!

For anyone interested, it's BUG-000114084.

Shelby

Re: SAML-based enterprise groups in Portal not working?

DanielUrbach — Tue, 25 Sep 2018 15:57:35 GMT

Shelby,

I'm not entirely sure that bug would affect group membership to be honest.

Having said that, what identity provider are you using? Most identity providers can be configured to send the nameid as SAML:2.0, effectively bypassing that defect.

-Danny

Re: SAML-based enterprise groups in Portal not working?

ShelbyZelonisRoberson — Tue, 25 Sep 2018 16:02:28 GMT

They (tech support) seemed to think that is the problem?! I certainly hope it is. The groups are based on SAML role membership. And yes we technically could bypass the defect but I work for a very large organization and it would impact much more than just me, so my IT department will not make the change.

Re: SAML-based enterprise groups in Portal not working?

DanielUrbach — Tue, 25 Sep 2018 17:36:28 GMT

Shelby,

I understand that you cannot make the changes in the IdP.

The reason I don't believe that particular defect is blocking you from sharing content to a SAML-linked group is that the NameID is only used to generate the username for the SAML-based user in Portal. The fact that you are able to sign in successfully makes me think that that defect is not affecting this issue.

Was your Portal upgraded to 10.6.1 or was it a fresh installation?

If you go to https://<Portal FQDN>/<webadaptor>/sharing/rest/community/users/<SAML user>, is the group linked to a SAML group listed under User Groups?

-Danny

Re: SAML-based enterprise groups in Portal not working?

ShelbyZelonisRoberson — Wed, 26 Sep 2018 10:40:34 GMT

Hi Danny,

The Portal was upgraded to 10.6.1 but this was an issue at 10.6 also (10.6 was a fresh installation).

When I go to the link you sent using my username, the SAML-linked Portal group is NOT listed under my User Groups.

However, in the Portal, I can see the SAML-linked Portal group under "My Organization's Groups". The group is set to Private (only viewable by group members) so in theory if I wasn't in the group, wouldn't I not be able to see it? Side note: I did not create the group with my username so owning it is not the reason I can see it.

I also took a look the group page at https://<portalfqdn>/<webadaptor>/sharing/rest/community/groups/<samlgroupname>. It lists Provider as "enterprise" and has the correct SAML group listed as the provider group name. However, when I click on Group Users, only the owner is listed as a user.

If it's easier we could continue this offline and I could show you screenshots, etc - up to you. I appreciate the help, I'd really love to get this resolved especially if it has nothing to do with the Bug.

Shelby

Re: SAML-based enterprise groups in Portal not working?

KeChen — Tue, 27 Nov 2018 16:54:51 GMT

Has this issue been resolved yet? I am recently trying to integrate our Idp with ArcGis. I run into the same issue.

I use Identityserver4 with Saml plugin, I could login using identities hosted on Identityserver4 no problem. I use attribute <MemberOf>, so the group show up as the logged in user's "My Organization's group". But I can't add content to the group

Group was created with settings

Who can view this group? -- Only group member

Who can join this group? -- Members of an Enterprise Group

Who can contribute content to the group? -- Group members

If you figured out a solution, could you please share with me?

Update: It actually works, the default role I was using didn't have privilege to share. So there's no problem.

Re: SAML-based enterprise groups in Portal not working?

MarkusSchenardi — Thu, 09 Apr 2020 06:16:10 GMT

I found out that I can only share content to an enterprise group when I am myself a member of the group.

That's in my opinion a bug because it does not follow the group settings and it makes it very difficult for administrators to share content in a senseful workflow.