Configure OpenID Connect logins

3066
19
Jump to solution
06-07-2021 02:20 AM
Labels (1)
RomanBoros
New Contributor III

Hi,

We are trying to setup an OpenID Connection to our ArcGIS Online.

All the necessary configurations were done on our Identity Provider and in the ArcGIS Online admin panel.

The button appeared on the login screen and after pressing we are redirected to the Identity Provider. After successful authentication the server redirects back to the portal and an error message is displayed.

Did not receive 'user profile' parameter from the provider.

RomanBoros_0-1623056922667.png

Can you provide more details what might be the problem?

This is the response format that the identity provider returns from the user info endpoint

RomanBoros_1-1623057291228.png

As Identity Provider we are using Identity Server 4.

The grant type for this client is authorization_code

We tried looking into documentation, but there is nothing about this error.

Thanks for your help.

Tags (3)
1 Solution

Accepted Solutions
ChristopherPawlyszyn
Esri Contributor

Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.

View solution in original post

0 Kudos
19 Replies
TomRussell1
New Contributor

I'm facing the same issue using the Keycloak IDM, we had previously used Keycloak's SAML integration but would like to transition to OIDC to align with other applications in our environment

0 Kudos
RomanBoros
New Contributor III

Unfortunately, SAML is not an option for us at the moment.

Our guess is they are expecting some non-standard parameter to be returned in the token.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

That error message typically means that the scopes are not being released to the service provider. Depending on whether you've specified those scopes in the OIDC configuration for ArcGIS Online/Portal for ArcGIS, you may need to remove them and potentially add other scopes if your provider is not set to allow the listed scopes to the service provider for the registered application.

0 Kudos
RomanBoros
New Contributor III

I do not think that is the case.

In the OIDC configuration we have "openid email profile" and I can confirm that the client in the Identity Server is setup in the way to allow those scopes.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.

0 Kudos
RomanBoros
New Contributor III

Should I look for that option in the ArcGIS Online/Portal or on the Identity Server?

On the server the closes thing there is this parameter and that is set to true.

RomanBoros_0-1623414699518.png

 

0 Kudos
RomanBoros
New Contributor III

After another attempt we found that parameter.

Setting that to true was the solution.

For anyone still wondering, you can find that at the bottom, when you try to edit the configuration.

Organization -> Settings -> Security -> Logins-> Configure login

RomanBoros_0-1623668238436.png

 

 

HaraldLund
New Contributor II

Hi, 

As I understand, you were able to use IdentityServer4 as an OpenID Connect IDP and connect ArcGIS Online with your IDP. By checking the "Send access token in header" seemed to help you out. Unfortunately, this approach does not solve this issue for my setup. I have used the IdentityServer4 QuickStart sample and just for now is using the in-memory user store. Trying to check the mentioned checkbox, making sure that the claims is sent with the access token  setting the  AlwaysIncludeUserClaimsInIdToken = true, for the client setup does not help. I still get the message "Did not receive 'user profile' parameter from the provider." 

I have successfully managed to set up Okta as an OpenID Connect IDP. It does not seem to me that userinfo endpoint is ever called from ESRI, even when the configuration does not have specified the JWKS URL and added the usserinfo URL.

What else have you configured with your IDP, @RomanBoros

JoshuaAbbott
New Contributor II

Did you get this working? I am also using IdentityServer4 and I see the same "Did not receive 'user profile' parameter from the provider." error, though I have tried all the suggestions in this thread. I see that later you give a list of claims that ArcGIS expects, but, as @MarkCederholm says, GetProfileDataAsync is never called, so I'm not sure that the claims are the problem.

0 Kudos