Hi,
We are trying to setup an OpenID Connection to our ArcGIS Online.
All the necessary configurations were done on our Identity Provider and in the ArcGIS Online admin panel.
The button appeared on the login screen and after pressing we are redirected to the Identity Provider. After successful authentication the server redirects back to the portal and an error message is displayed.
Did not receive 'user profile' parameter from the provider.
Can you provide more details what might be the problem?
This is the response format that the identity provider returns from the user info endpoint
As Identity Provider we are using Identity Server 4.
The grant type for this client is authorization_code
We tried looking into documentation, but there is nothing about this error.
Thanks for your help.
Solved! Go to Solution.
Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.
I'm facing the same issue using the Keycloak IDM, we had previously used Keycloak's SAML integration but would like to transition to OIDC to align with other applications in our environment
Unfortunately, SAML is not an option for us at the moment.
Our guess is they are expecting some non-standard parameter to be returned in the token.
That error message typically means that the scopes are not being released to the service provider. Depending on whether you've specified those scopes in the OIDC configuration for ArcGIS Online/Portal for ArcGIS, you may need to remove them and potentially add other scopes if your provider is not set to allow the listed scopes to the service provider for the registered application.
I do not think that is the case.
In the OIDC configuration we have "openid email profile" and I can confirm that the client in the Identity Server is setup in the way to allow those scopes.
Another possibility may be that you haven't selected the option to include the access token in the header of the authentication request. I had the same issue on an ADFS 4.0 OpenID Connect configuration I was working on earlier in the week.
Should I look for that option in the ArcGIS Online/Portal or on the Identity Server?
On the server the closes thing there is this parameter and that is set to true.
After another attempt we found that parameter.
Setting that to true was the solution.
For anyone still wondering, you can find that at the bottom, when you try to edit the configuration.
Organization -> Settings -> Security -> Logins-> Configure login
Hi,
As I understand, you were able to use IdentityServer4 as an OpenID Connect IDP and connect ArcGIS Online with your IDP. By checking the "Send access token in header" seemed to help you out. Unfortunately, this approach does not solve this issue for my setup. I have used the IdentityServer4 QuickStart sample and just for now is using the in-memory user store. Trying to check the mentioned checkbox, making sure that the claims is sent with the access token setting the AlwaysIncludeUserClaimsInIdToken = true, for the client setup does not help. I still get the message "Did not receive 'user profile' parameter from the provider."
I have successfully managed to set up Okta as an OpenID Connect IDP. It does not seem to me that userinfo endpoint is ever called from ESRI, even when the configuration does not have specified the JWKS URL and added the usserinfo URL.
What else have you configured with your IDP, @RomanBoros?
Did you get this working? I am also using IdentityServer4 and I see the same "Did not receive 'user profile' parameter from the provider." error, though I have tried all the suggestions in this thread. I see that later you give a list of claims that ArcGIS expects, but, as @MarkCederholm says, GetProfileDataAsync is never called, so I'm not sure that the claims are the problem.