We discovered this bug last year during our 10.7 install and configuration. This is a key feature we were hoping to leverage and have since been unable to do so and required a third party integration be developed to sync our portal with employee directory.
It is still in the new status. Can someone from ESRI shed some light on the path of this bug being fixed? Has anyone else experienced this bug? Any work arounds?
I agree with you. It sounds like it has something to do with the old accounts that have been upgraded from earlier releases. Have the enterprise accounts on your production system been through multiple upgrades or were those accounts created at 10.7.1? I can't think of too much that was added for users between 10.7.1 and 10.8 but if they are older, there could be something else. The group refresh is supposed to occur every time a user logs in, not just when the account gets created. The debug logs should reveal the group refresh during login. Do you see anything there?
In fact it has nothing to do with the old accounts nor the upgrade as I am able to reproduce the issue on brand new 10.8 environment.
I was misguided because group membership is correctly computed at account initialization but not afterward so the test was different.
Following your recommandation, I enabled logging to debug mode and created to 2 groups 'TEST-SAML' and 'TEST-SAML2' configured as member of the organization group 'gis-esriportal' and tried to log in with an account not initialized on ArcGIS Enterprise and member of the group 'gis-esriportal':
As you can see the user 'foobar' is correctly added to the groups 'TEST-SAML' and 'TEST-SAML2' as it is a member of 'gis-esriportal'.
Then, I created a third group 'TEST-SAML3' configured membership to the very same enterprise group 'gis-esriportal'.
If I try to log in once again with the test account (after signing out, clearing cookie and incognito mode), the following is logged:
So it seems like it does test for membership but according to ArcGIS Enterprise, it is not member of 'gis-esriportal' group.
Then I delete the account on 'ArcGIS Enterprise' and tried to log in again:
User is added to 'TEST-SAML3' group this time.
Any idea what could be the issue ?
Based on the logs it looks like you might have a "Windows" group store configuration defined in Portaladmin > Security > Config. Can you double-check that? The refresh group membership logs that are appearing when it fails are unique to Windows or LDAP group store configurations. The SAML enterprise group logs match the first one and the last one where it worked.
Currently it is possible to enable SAML enterprise groups when you configure SAML and also have an Active Directory or LDAP group store defined in portaladmin. When this happens they conflict with each other and you see weird results. We are working on an enhancement to only allow one or the other.
Thanks for checking. From your previous message it looks like you have all three of your SAML-TEST groups linked to the same 'gis-esriportal' group. Is that correct? There is an outstanding issue related to having multiple Portal groups linked to a single SAML enterprise group. The behavior is inconsistent. Can you confirm in your production environment if you have more than one Portal group linked to a single SAML group?
Thanks for your reply.
Indeed, the three groups are linked to the same 'gis-esriportal' enterprise group.
I confirm that if I change it to another enterprise group it is working without having to delete the user.
So I believe we are having the same 'issue related to having multiple Portal groups linked to a single SAML enterprise group'.
FYI, doing this test, I noticed something strange in the log. Though, the user is added to the new group, the tests are failing.
Here is the test I did: I created one ArcGIS Enteprise group called 'TEST-SAML-FOUND' and linked it to enterprise group 'gis-esriportal-2'. As you can see on the screenshot below, though tests are failing ("Is user in group took 1 ms to test if user email@example.com was in group gis-esriportal-2. Value: false. Tested formats: [company.com\foobar, foobar, firstname.lastname@example.org]), it is nevertheless added to the ArcGIS Enterprise group "TEST-SAML-FOUND":
Yes, what you are seeing in the debug logs there is a separate issue (relatively minor in my mind). When the linked enterprise group is added or changed, we have logic in place to automatically clear and refresh the group membership. This works great for Windows or LDAP enterprise groups but cannot be done for SAML groups because there is no way to query a SAML idp. The bug here is that with SAML groups enabled, it should only clear the existing group membership and not attempt to do a refresh. Fortunately this does not appear to be breaking anything. The group membership is still getting cleared as expected and the attempted refresh is simply failing. It does cause confusion though when looking at the debug logs.
Thanks for your explanation.
And regarding the 'issue related to having multiple Portal groups linked to a single SAML enterprise group', do you have anything logged on your side ? Any hope to have it solved for 10.8.1 ?
It is very convenient to be able to create multiply groups to classify though it is linked to the same enterprise group.
Unfortunately this has not been solved in 10.8.1 and I'm not aware of a public BUG logged for this yet. It might be helpful to contact our Support team to have one logged for this.