In Portal, allow dashes in user name NameIDs when authenticating with SAML2

09-26-2019 03:40 AM
Status: Open
New Contributor II

In Portal, the user name requirements for enterprise users are handled in an inconsistent manner. If enterprise users are added manually or via scripts, they can contain underscores (_), at sign (@), points (.), or dashes (-). The Portal documentation states:

If your portal has been configured with an enterprise identity provider based on Active Directory (AD) or Lightweight Directory Access Protocol (LDAP), enterprise accounts can be added individually, in bulk, or from enterprise groups managed by the identity provider [...] Any special characters in account names will be changed to an underscore (_), except the at sign (@), point (.), or dash (-).

Users created this way can indeed authenticate with SAML2, even if their user names contain dashes. But if users are created on the fly on the first connection, all dashes in the user name NameID will be replaced by underscores. This behaviour has in fact been carried over from AGOL, and is also stated in another Portal documentation:

Portal for ArcGIS requires certain attribute information to be received from the identity provider when a user logs in using enterprise logins. The NameID attribute is mandatory and must be sent by your identity provider in the SAML response to make the federation with Portal for ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID will be created by Portal for ArcGIS in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by Portal for ArcGIS.

If the Ldap contains user names with dashes, corresponding Portal user names may inconsistently contain/allow dashes (if added manually or with a script) or have all dashes replaced by underscores (if added in first connection). This behaviour is inconsistent.

Furthermore, if the Portal group membership is based on the portaladmin group store configuration (i.e., if the SAML identity provider is not configured with option "Enable SAML based group membership"), the current behaviour could prevent Portal to retrieve group membership, because the same user account name may contain underscores in Portal but dashes in Ldap.

In our opinion, it would be preferable if dashes were always allowed.