Unable to access Portal with built-in admin account

5010
7
Jump to solution
11-27-2020 09:33 AM
JonSwoveland
Occasional Contributor

Hey all, so I seem to have got myself into a wee bit of a pickle.   First off, this is not a case of forgetting the built-in admin username or password.  I'm (all too) familiar with the cmd line tool to reset that. 

I setup an instance of Portal 10.8.1 to test configuration of a SAML 2.0 Federation with OKTA. This all worked fine until I disabled the option for users to login using built-in Portal accounts.  The only administrative user is the built-in portal admin user, and there appears to be no way for me to log in with built-in users anymore. This means I have not way to re-enable built-in user logins via the Portal UI.

I'm so used to using IWA authentication through the web adapter, I figured I'd be able to login with the built-in account by access Portal directly via :7443 but of course that still redirects authentication to OKTA.  

I can login to the portaladmin directory using the built-in admin account, but cannot find any way to enable built-in user logins from there.   

Looking at the response from the <portal-url>/sharing/rest/portals/self endpoint, I see there is a property named "samlEnabled", with a value of true.  However, I have  scoured all the configuration files I can find, but am unable to find a setting to control this.

This is just a test setup, so in my case it's not a big deal to reinstall, but there really should be a way to fix this via configuration.  

If reinstall is the only answer, I will be submitting a suggestion to Esri that disabling built-in user logins is not allowed unless at least one administrative user from an alternate IdP exists, and IdP settings should be configurable via portaladmin.

Thanks all!

 

0 Kudos
2 Solutions

Accepted Solutions
by Anonymous User
Not applicable

I often use the ArcGIS API for Python for updating specific properties. Something like this should do the trick once you can programatically login.

 

from arcgis.gis import GIS
gis = GIS('home')

display(gis.properties.canSignInArcGIS)
display(dict(gis.properties))

# backup old properties
old_properties = dict(gis.properties)

 

This backups up the old_properties in case you need to restore them. The next part simply updates one of it's properties. It sounds like you have established what needs to be updated so you can define the property here (I'm guessing it's the canSignInArcGIS property):

 

# specify properties to be updated
update = {'canSignInArcGIS': True}
gis.update_properties(update)

 

You can then confirm that the update has gone through by running this:

 

# check to see update was successful
gis.properties.canSignInArcGIS

 

View solution in original post

Travis_Esri
Esri Contributor

Hello Jon,

 

Esri Support created the following technical article for for the workflow you are describing. If you do not have an administrator SAML account you can use to update the value in Portal home, changing the "Can SignIn Using ArcGIS" value to true via the self page will enable built-in logins again on the signin page.

 

Problem: Portal for ArcGIS sign in page allows only enterprise logins preventing administrators from... 

 

Please let me know if you have any further questions on this.

 

Thanks,

Travis

View solution in original post

7 Replies
by Anonymous User
Not applicable

I often use the ArcGIS API for Python for updating specific properties. Something like this should do the trick once you can programatically login.

 

from arcgis.gis import GIS
gis = GIS('home')

display(gis.properties.canSignInArcGIS)
display(dict(gis.properties))

# backup old properties
old_properties = dict(gis.properties)

 

This backups up the old_properties in case you need to restore them. The next part simply updates one of it's properties. It sounds like you have established what needs to be updated so you can define the property here (I'm guessing it's the canSignInArcGIS property):

 

# specify properties to be updated
update = {'canSignInArcGIS': True}
gis.update_properties(update)

 

You can then confirm that the update has gone through by running this:

 

# check to see update was successful
gis.properties.canSignInArcGIS

 

JonSwoveland
Occasional Contributor

Thanks! I'm going to give this a try.  

0 Kudos
JonSwoveland
Occasional Contributor

That worked!!! Thanks so much!  
As much as I like being able to fix things using code, it doesn't seem reasonable to have to resort to this for a critical administrative task.  Would the folks at Esri Support know about this approach?  

Anyhow, thanks for giving me a new tool for my toolbelt!

0 Kudos
Travis_Esri
Esri Contributor

Hello Jon,

 

Esri Support created the following technical article for for the workflow you are describing. If you do not have an administrator SAML account you can use to update the value in Portal home, changing the "Can SignIn Using ArcGIS" value to true via the self page will enable built-in logins again on the signin page.

 

Problem: Portal for ArcGIS sign in page allows only enterprise logins preventing administrators from... 

 

Please let me know if you have any further questions on this.

 

Thanks,

Travis

JonSwoveland
Occasional Contributor

Thanks Travis, I was so close to finding that prior to the ArcGIS API for Python approach.  

0 Kudos
NickHarvey
Occasional Contributor II

@Anonymous User  - Thank you for posting this Michael - It got me out of this Catch 22 - I could not access the update url below with out signing in, but my SAML setup wasn't working either..  

https://<portal.domain.com>:7443/arcgis/sharing/rest/portals/self/update

 

0 Kudos
ahargreaves_FW
Occasional Contributor III

I'm stuck and unable to log into our portal using a built-in account. I followed the instructions in the article here to attempt to switch the 'Can SignIn Using ArcGIS' setting to try, but it already is. I'm stumped.

ahargreaves_FW_0-1632847084297.png

 

0 Kudos