Configure OpenID Connect logins

1366
8
Jump to solution
06-07-2021 02:20 AM
Labels (1)
RomanBoros
New Contributor III

Hi,

We are trying to setup an OpenID Connection to our ArcGIS Online.

All the necessary configurations were done on our Identity Provider and in the ArcGIS Online admin panel.

The button appeared on the login screen and after pressing we are redirected to the Identity Provider. After successful authentication the server redirects back to the portal and an error message is displayed.

Did not receive 'user profile' parameter from the provider.

RomanBoros_0-1623056922667.png

Can you provide more details what might be the problem?

This is the response format that the identity provider returns from the user info endpoint

RomanBoros_1-1623057291228.png

As Identity Provider we are using Identity Server 4.

The grant type for this client is authorization_code

We tried looking into documentation, but there is nothing about this error.

Thanks for your help.

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
ChristopherPawlyszyn
Esri Contributor

Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.

View solution in original post

0 Kudos
8 Replies
TomRussell1
New Contributor

I'm facing the same issue using the Keycloak IDM, we had previously used Keycloak's SAML integration but would like to transition to OIDC to align with other applications in our environment

0 Kudos
RomanBoros
New Contributor III

Unfortunately, SAML is not an option for us at the moment.

Our guess is they are expecting some non-standard parameter to be returned in the token.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

That error message typically means that the scopes are not being released to the service provider. Depending on whether you've specified those scopes in the OIDC configuration for ArcGIS Online/Portal for ArcGIS, you may need to remove them and potentially add other scopes if your provider is not set to allow the listed scopes to the service provider for the registered application.

0 Kudos
RomanBoros
New Contributor III

I do not think that is the case.

In the OIDC configuration we have "openid email profile" and I can confirm that the client in the Identity Server is setup in the way to allow those scopes.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.

0 Kudos
RomanBoros
New Contributor III

Should I look for that option in the ArcGIS Online/Portal or on the Identity Server?

On the server the closes thing there is this parameter and that is set to true.

RomanBoros_0-1623414699518.png

 

0 Kudos
RomanBoros
New Contributor III

After another attempt we found that parameter.

Setting that to true was the solution.

For anyone still wondering, you can find that at the bottom, when you try to edit the configuration.

Organization -> Settings -> Security -> Logins-> Configure login

RomanBoros_0-1623668238436.png

 

 

MarkCederholm
Regular Contributor II

I'm playing around with IdentityServer4 as an OpenID Connect source, and I am getting the same "user profile" error, although it works fine for a MVC client that uses the same parameters as ArcGIS Online.  Next I created a custom IProfileService implementation to see if it's actually being called, and again it works fine for the MVC client, but with AGOL only IsActiveAsync is being called (and returning true); GetProfileDataAsync is never called. 

0 Kudos