Select to view content in your preferred language

ArcGIS StoryMaps - Infinite login loop

745
4
Jump to solution
01-22-2025 01:47 PM
Felipe
by
Emerging Contributor

Hello Community,

We are having a problem when trying to access ArcGIS StoryMaps from an ArcGIS Enterprise 11.3 installation.
Portal for ArcGIS is integrated with a SAML authenticator, and almost all apps allow SSO login without problems. However, only StoryMaps (also Vector Style Editor) does not allow direct access. It asks for credentials again, and even after entering them, it seems the application will be available, but it starts to log in and returns to the login page.

It happens after the webcontexturl is configured in the Portal configurations.

I found something similar here,  but it does not apply for our case.

Any ideas or insights will be very welcome.

Thank you.
Kind regards,
Felipe

0 Kudos
1 Solution

Accepted Solutions
JeffSmith
Esri Contributor

Hi Felipe,

That behavior you are seeing with the infinite login loop for ArcGIS StoryMaps can be a sign that the "esri_aopc" cookie is not getting created properly or perhaps not linked to the correct domain name.  After a successful login to Portal for ArcGIS, can you confirm the esri_aopc cookie exists and is linked to the domain specified in your webcontexturl parameter?

View solution in original post

4 Replies
JeffSmith
Esri Contributor

Hi Felipe,

That behavior you are seeing with the infinite login loop for ArcGIS StoryMaps can be a sign that the "esri_aopc" cookie is not getting created properly or perhaps not linked to the correct domain name.  After a successful login to Portal for ArcGIS, can you confirm the esri_aopc cookie exists and is linked to the domain specified in your webcontexturl parameter?

Felipe
by
Emerging Contributor

Hello @JeffSmith ,

I have created this web.config file inside IIS folders, and the cookie was created and solved the issue:

 

===========================================================
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Content-Security-Policy" value="object-src 'none'" />
<add name="Referrer-Policy" value="no-referrer" />
<add name="Permissions-Policy" value="usb=(), web-share=(), xr-spatial-tracking=(), screen-wake-lock=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), microphone=(), midi=(), navigation-override=(),browsing-topics=(), accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=()" />
<add name="X-Esri-Authorization" value="Token" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>

Do you think the headers are important for the cookie creations?

 

0 Kudos
JeffSmith
Esri Contributor

Hi Felipe,

I'd be careful with some of those headers.  The "X-Esri-Authorization" header should not be hard-coded to "Token".  That gets used by some of the Esri apps as a way to send the token as a header rather than a query parameter.  

Also, the "Strict-Transport-Security" header for HSTS can be enabled through a security option in the portaladmin api.  If you prefer to enable HSTS through IIS, that's ok.  Just make sure they are not enabled in both places.

The other headers are fine.  I don't consider them important for the cookie creation though.  Are you saying the cookie was not created when those headers were not included?

Felipe
by
Emerging Contributor

Hi @JeffSmith ,
Exactly, after I configured the headers as mentioned the cookie creation started working. I have another Portal with the same error where I did not configure the headers and the StoryMaps is in an infinite loop for login.

Regarding the header I have taken the reference from here and the ArcGIS Enterprise Hardening Guide 2024. However I believe you are right, once we are not creating any customized app that will require such configuration.

Many thanks for your help!
Kind regards,
Felipe

0 Kudos