We have an ArcGIS Enterprise installation on AWS Ec2 machines. We are currently configuring SAML based single sign-on and IDP has provided a pubic and private key. I want to know the process of setting up Private+Public keys for SAML in ArcGIS.
There are videos available for SSL certificates configuration but they don't talk about keys configuration for SAML especially how to import the private keys (.pfx) files.
The configuration of SAML is done through the following options:
1. Using the IDP metadata url
2. Using a metadata file
3. Using parameters
The first 2 options should automatically import the correct certificate key. Sometimes that certificate is out of date or wrong, so you can manually update it by editing the SAML configuration.
The last option will allow you to specify the certificate key directly.
In my experience it is much easier (and foolproof) to use an IDP metadata url or file, as this will automatically populate everything for you.
Once you the identity provider metadata is downloaded you will then need to create the service provider metadata file and give that back to IT so they can configure the trust relationship on the IDP.
We have used the parameters option and manually copied the certificate from IDP metadata file (there was some an error coming when importing the metadata file)
Now, there is another public and private key (combination of .cer & .pfx files) that is different from IDP provided one. That is our own (CA provided) public and private key. We have to provide the public cert to the IDP. Question is how do I install/update these certificates on the portal machines. I need steps required to import the SAML certs and where to store/install the private key?
Path of Portal admin directory looks like this
Home > Machines > 10.1.1.22 > SSLCertificates
Portal for ArcGIS uses the alias 'samlcert' to define which keypair is used for encryption/decryption of the assertion or signing of the SAML request. The steps are listed in the documentation, but essentially you delete the 'samlcert' certificate that was shipped with the product, then import a new certificate using the same alias. In a high availability Portal for ArcGIS site, you'll need to use the same certificate for both machines.
"The Encrypt Assertion and Enable signed request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal."