ArcGIS StoryMaps - Infinite login loop

Felipe · ‎01-22-2025

Hello Community,

We are having a problem when trying to access ArcGIS StoryMaps from an ArcGIS Enterprise 11.3 installation. Portal for ArcGIS is integrated with a SAML authenticator, and almost all apps allow SSO login without problems. However, only StoryMaps (also Vector Style Editor) does not allow direct access. It asks for credentials again, and even after entering them, it seems the application will be available, but it starts to log in and returns to the login page.

It happens after the webcontexturl is configured in the Portal configurations.

I found something similar here, but it does not apply for our case.

Any ideas or insights will be very welcome.

Thank you.
Kind regards,
Felipe

JeffSmith · ‎01-23-2025

Hi Felipe,

That behavior you are seeing with the infinite login loop for ArcGIS StoryMaps can be a sign that the "esri_aopc" cookie is not getting created properly or perhaps not linked to the correct domain name. After a successful login to Portal for ArcGIS, can you confirm the esri_aopc cookie exists and is linked to the domain specified in your webcontexturl parameter?

View solution in original post

JeffSmith · ‎01-23-2025

Hi Felipe,

That behavior you are seeing with the infinite login loop for ArcGIS StoryMaps can be a sign that the "esri_aopc" cookie is not getting created properly or perhaps not linked to the correct domain name. After a successful login to Portal for ArcGIS, can you confirm the esri_aopc cookie exists and is linked to the domain specified in your webcontexturl parameter?

Felipe · ‎01-23-2025

Hello @JeffSmith ,

I have created this web.config file inside IIS folders, and the cookie was created and solved the issue:

===========================================================
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Content-Security-Policy" value="object-src 'none'" />
<add name="Referrer-Policy" value="no-referrer" />
<add name="Permissions-Policy" value="usb=(), web-share=(), xr-spatial-tracking=(), screen-wake-lock=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), microphone=(), midi=(), navigation-override=(),browsing-topics=(), accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=()" />
<add name="X-Esri-Authorization" value="Token" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>

Do you think the headers are important for the cookie creations?

JeffSmith · ‎01-23-2025

Hi Felipe,

I'd be careful with some of those headers. The "X-Esri-Authorization" header should not be hard-coded to "Token". That gets used by some of the Esri apps as a way to send the token as a header rather than a query parameter.

Also, the "Strict-Transport-Security" header for HSTS can be enabled through a security option in the portaladmin api. If you prefer to enable HSTS through IIS, that's ok. Just make sure they are not enabled in both places.

The other headers are fine. I don't consider them important for the cookie creation though. Are you saying the cookie was not created when those headers were not included?

Felipe · ‎01-23-2025

Hi @JeffSmith ,
Exactly, after I configured the headers as mentioned the cookie creation started working. I have another Portal with the same error where I did not configure the headers and the StoryMaps is in an infinite loop for login.

Regarding the header I have taken the reference from here and the ArcGIS Enterprise Hardening Guide 2024. However I believe you are right, once we are not creating any customized app that will require such configuration.

Many thanks for your help!
Kind regards,
Felipe