Connecting to ArcGIS Server after configuring SAML and Federating

8719
8
Jump to solution
02-20-2015 03:14 AM
ChrisAdams
Esri Contributor

After setting up Portal for ArcGIS 10.3 to use SAML with AD users, we are unable to create an ArcGIS Server connection in ArcMap. Has anyone else come across this?! All other admin functions work; we can sign in to ArcGIS Server Manager with our AD credentials, we can log in to Portal fine. I tried creating a token directly but this fails as well:

https://<machine name.domain>/arcgis/sharing/generateToken

"Invalid username or password"

I am definitely not entering an incorrect username or password, unless the username format is wrong. I have tried:

DOMAIN\username

domain\username

username

portal username

The token is only generated successfully for the initial admin account.

I can log in to the the portaladmin site and search on enterprise users. Correctly, my username shows up but for some reason, ArcGIS Desktop is not authenticating AD users. It does authenticate against the initial admin account absolutely fine.

Authentication worked fine before using SAML, i.e, using AD users and federating with Server.

0 Kudos
1 Solution

Accepted Solutions
ChrisAdams
Esri Contributor

This is possible in 10.3. After retesting, the reason why I didn’t get the SAML login box was because I was trying to enter my credentials in the authentication box. This is not what you do. You need to leave these fields blank, and also untick the box ‘save username/password’. Click ‘Finish’ and you should be prompted with the login box:

SAML.png

Here is another troubleshooting tip if your sign in box does not appear:

Check your Internet Explorer group policy settings. These could be preventing JavaScript from running in Internet Explorer. ArcGIS for Desktop uses Internet Explorer ActiveX control to login to Portal which in turn redirects to SAML IDP login when Portal is configured to use SAML. If the SAML login page has any embedded JavaScript and the Internet Explorer policy is preventing this JavaScript from running, the login will not work. To work around this, either change the group policy to allow JavaScript in IE, or change your SAML login page to a pure HTML form.

View solution in original post

8 Replies
RyanDay
New Contributor III

Yea...  reproduced error on my end as well.

Did you get anywhere on this?  I think this is a bug (or feature request) on ArcCatalog side myself, as I think it should present you with the SAML login screen here, like it does everywhere else.

I think for a DOMAIN account you shouldn't expect to be able to use the generateToken page from ArcGIS Server after federation (except for the primary admin).  Which if you open fiddler is what ArcCatalog is trying to do still as well.

0 Kudos
ChrisAdams
Esri Contributor

This is possible in 10.3. After retesting, the reason why I didn’t get the SAML login box was because I was trying to enter my credentials in the authentication box. This is not what you do. You need to leave these fields blank, and also untick the box ‘save username/password’. Click ‘Finish’ and you should be prompted with the login box:

SAML.png

Here is another troubleshooting tip if your sign in box does not appear:

Check your Internet Explorer group policy settings. These could be preventing JavaScript from running in Internet Explorer. ArcGIS for Desktop uses Internet Explorer ActiveX control to login to Portal which in turn redirects to SAML IDP login when Portal is configured to use SAML. If the SAML login page has any embedded JavaScript and the Internet Explorer policy is preventing this JavaScript from running, the login will not work. To work around this, either change the group policy to allow JavaScript in IE, or change your SAML login page to a pure HTML form.

AndrewBowne
Occasional Contributor III

Chris-

Thanks for the tips.  I have been having the exact same problem.  Not adding in the User/pass prompts me to use my portal/federated account.  When I enter the info ArcCatalog hangs and then i get a connection error.  I can connect to the site using the machine name, but I cannot connect using the Elastic IP (I am on Amazon).

Any ideas?

0 Kudos
ChrisAdams
Esri Contributor

Hi,

Perhaps this is to do with your certificate. Do you mean to say you can connect when using the machine name and then entering your credentials in ArcCatalog?

Deploy Portal for ArcGIS on AWS—Portal for ArcGIS (10.3 and 10.3.1) | ArcGIS for Server<http://server.arcgis.com/en/portal/latest/administer/windows/deploy-portal-on-aws.htm>

Regards,

Chris

AndrewBowne
Occasional Contributor III

Chris,

Yes - I can connect using the machine name bu tnot the Elastic IP Address. 

CAN:

https://gisappserver2.gis.local/arcgis

CAN'T:

https://elastic-ip.compute-1.amazonaws.com/arcgis

When I federated the ArcGIS Server with Portal I was only able to federate as https://gisappserver2.gis.local/arcgis and NOT https://elastic-ip.compute-1.amazonaws.com/arcgis

I am using only a self-signed certificate since this is for test/proof of concept purposes.  The article you attached suggested not to use self-signed cert's however I saw other articles that said it was acceptable for testing.  Because this is on AWS is CA-Signed required?

Thanks for your help,

Andrew

0 Kudos
SzymonPiskula1
New Contributor III

Chris,

What role level were you at when connecting? I can connect fine if I try as publisher or administrator & my portal role allowes me to perform given level's operations. But I was not able to do so when I degraded myself to User role in Portal and then tried to set up a connection in ArcMap with 'Use GIS services'. What happens then to me the connection is set up, but it has no content, even the items/map services I own. Interestingly during the connection process the dialog to sign in (as on your screenshots) does not show - it creates the connection immediately.

The dialog does show if i connect as publisher or administrator though.

Regards,
Szymon

0 Kudos
SzymonPiskula1
New Contributor III

I think I have found the answer to my own question: this is not possible in SAML scenario

Make a user connection to ArcGIS Server in ArcGIS Desktop—ArcGIS Server Administration (Linux) | Arc... 

If the ArcGIS Server site you're connecting to is federated with a portal, provide portal credentials. If your portal uses SAML authentication, you cannot connect directly to the federated server from ArcMap.

0 Kudos
DarylHochhalter
Occasional Contributor II

I'm using SAML with ArcGIS Enterprise 10.7, federated Server and portal, 2 web adapters. I had to go into ArcGIS administrator and add the portal URL to portal connections so that you are able to sign into portal from arcmap or catalog. I was then able to create an admin connection in ArcGIS desktop to the federated server using my AD credentials which were already assigned admin privileges in portal.

0 Kudos