SAML IdpUsername Attribute Mapping

JonathanDandois · ‎03-14-2024

Good morning, I'm pretty sure this is an issue for our on-site IT IDP provider and not Esri, but wanted to post here anyway.

Running Enterprise Portal 10.9.1. We had our Enterprise configured for SAML sign-in via our Org's IDP several years ago and before I got here. My typical approach to managing new users for this sign-in type was to add their org email like "username@org.email" then Portal defaults the username as "username", and everything is happy. The user's first and last name gets updated based on the SAML response after first login and their username in the portal is of the form "username".

Fast forward now, our IT is using a new IDP management system and I am registering new Portals (11.1) in that system. I follow the Esri Enterprise instructions and our IT instructions for registering the IDP and SP on both sides, and then add users as above.

But, when I try to sign in as the users, I get this error below. If I create the user in Portal with the username format of "username@org.email", then the SAML SSO works as expected. But if the Portal user is created with the "username" username form, then the error occurs.

This seems like an issue with the SAML Attribute Mapping and I have submitted a ticket for our internal IT.

Is it normal in Portal for usernames to use the form "username"? Reviewing Community here, it seems more common that folks are using "username@org.email" form.

I don't have a strong preference, because users don't type in their username into Portal to use SSO anyway, just looking for consistency.

JonathanDandois · ‎03-14-2024

Thanks @MingLee. I agree with your distinction between built-in and IDP users and the username format. for me, its mostly a matter of consistency or migration for current IDP users in case its related to the mappings on the IDP side.

View solution in original post

MingLee · ‎03-14-2024

For built-in 'local' Portal accounts, it is normal for usernames to use the form 'username' - though one can use any form, so long as it is consistent. Usernames that use the form username@org.email usually come from an IDP provider. Am not sure if your first example is typical though it could be due to the way the claims are mapped between what ArcGIS Enterprise needs and what the IDP provides.

As for users needing to type 'username@org.email in; it shouldn't be necessary as it is likely they've already signed in already via a browser.

JonathanDandois · ‎03-19-2024

@MingLee is it possible there are differences between ArcGIS Enterprise versions and how they parse IdpUsername from SAML?

I have an Enterprise 10.9.1 deployment that was originally configured for SAML as a 10.6.1 deployment and since been upgraded twice to 10.9.1

To add a SAML user, I have always provided an email username@org.email and a username.
The SAML IDP is successful
However, in testing this today, I created a new SAML user with email username@org.email and username username@org.email
Then I get this error :

However, the reverse applies for my new 11.1 Enterprise deployment. As discussed in the ticket previously, I have to create new SAML users with email username@org.email and username username@org.email, otherwise the IDP fails with a mismatched IdpUsername.

I confirmed with our IDP manager, these different deployments have matching SAML Attribute Mappings.

JonathanDandois · ‎03-14-2024

Thanks @MingLee. I agree with your distinction between built-in and IDP users and the username format. for me, its mostly a matter of consistency or migration for current IDP users in case its related to the mappings on the IDP side.