Missing user profile in response from identity server.

2637
5
03-11-2022 01:21 PM
pocalipse
New Contributor III

Hi

I'm trying to use KeyCloak as an external OpenID Connect authentication server for our internal ArcGIS Portal. Everything is connection but when I login and get redirected back to ArcGIS Portal I always get this error:

Did not receive 'user profile' parameter from the provider.

It seems that ArcGIS Portal doesn't call the user info endpoint so how do I fix this?

Best regards
Jens Christiansen

Tags (2)
0 Kudos
5 Replies
Scott_Tansley
MVP Regular Contributor

So I'm not an expert on SAML2 and I've only worked with ADFS, OKTA and Azure AD.  That said the 'Required Information' (Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for Arc...) for a SAML2 exchange between an IDp and ArcGIS Enterprise as a SP is quite light.  Only the NameID is really required, which is often in the form of the email address. 

Azure AD "just works" as the email is key to everything, but ADFS needs the admin to choose the right properties to send through configuration.  It may be that an incorrect property is being sent as the NameID.

That's probably as much as I've got on the subject, but take a look at what's being sent.  It sounds like Enteprise is expecting an email and getting something in another form like [domain\user].

 

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
pocalipse
New Contributor III

Hi Scott

Thanks for you reply and the SAML2 link. 

However, I'm trying to use the OpenID Connect login but ArcGIS Portal just calls the authenticate endpoint and I login in the identity server and then is redirected back to ArcGIS Portal, just to get notified that user profile is missing.

The JWT returned in quite simple and I guess ArcGIS Portal should call the user info endpoint of my identity server to retrieve the information but it doesn't!

Best regards
Jens Christiansen

0 Kudos
essamadelali
New Contributor II

Hi @pocalipse, have you managed to solve this issue? I am having the same issue on ArcGIS Enterprise version 10.9.1 (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server)

Note: "Send access token in the header" is On 

Any suggestion? 

0 Kudos
pocalipse
New Contributor III

Hi @essamadelali 

Unfortunately not! 
However, I currently have an open support issue with Esri and I'm hoping they will come back with a solution very soon. If and when they do I will gladly provide you the solution 🙂

0 Kudos
essamadelali
New Contributor II

Hi @pocalipse, have you received any updates from ESRI with regard to the support ticket you have opened?

This issue is driving me crazy, I have been testing on another environment, and it worked! details as follows.

The other environment is testing one (2 HA portals, but there are no federated servers), I have used the  exact same Keycloak configuration for both environments. However, in my production environment, which I have sent about it before (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server) it does not work!

I have been trying to test and eliminate some doubts related to keycloak, trying to understand from where exactly the error stem from.

Keycloak side:

I have tried to connect to Keycloak APIs directly without any intervention from the portal, the results was good and eliminated the possibility of having issues related to request/response of keycloak (production).

I have tried to generate a token as follows:

curl -L -X POST 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<USERNAME>' \
--data-urlencode 'password=<MY_PASSWORD>' \
--data-urlencode 'scope=openid address web-origins roles email phone profile microprofile-jwt offline_access' \
--data-urlencode 'totp=<OTP_FROM_ANY_MOBILE_AUTHENTICATOR>'

It responded correctly with an access_token
then I used that access_token to call /userinfo API as follows:

curl -L -X GET 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer <GENERATED_TOKEN>'

It responded correctly with my user profile

Portal side:

I have traced the OpenID connect traffic there are 3 main requests as following:

First: Portal requests: oidc authorize >> set redirect url to keycloak to request the code

originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../authorize",
redirectURL: {
baseURL: "https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/auth?redire...",
redirect_uri: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin",
client_id: "<CLIENT_ID>",
scope: "openid address web-origins roles email phone profile microprofile-jwt offline_access",
response_type: "code",
state: "xxxxxxxxxxxxx"

Second: Keycloak requests: authenticate with user password or OTP >> set redirect url to portal with code, state & session_state

originator: "https://<KEYCLOAK_SERVER>/realms/.../login-actions/authenticate?session_code=xxxxxxxxxxxxxxxxxxxxxx&execution=xxxxxxxxxxxxxxxx&client_id=<CLIENT_ID>&tab_id=xxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/...",
state: "xxxxxxxxxxxxxxxx",
session_state: "xxxxxxxxxxxxxxxx",
code: "xxxxxxxxxxxxxxxxxxxxxxx"
},
Third: Portal requests: oidc signin with code, state & session_state >> set redirect url to portal account switcher with access_token

originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin?state=xxxxxxxxxxxxxxx&session_state=xxxxxxxxxxxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/home/accountswitcher-callback.html#access_token=XXXXXXXX"

This ☝ is the successful flow captured from the testing environment (2 HA portals). I have traced the production requests as well, and everything is being sent correctly redirect_uri, client_id, code, state, session_state, but Unfortunately the Third request does not return an access_token instead it returns the user profile error Did not receive 'user profile' parameter from the provider error

I don't know what's wrong with the production environment, is it because of the fact of having federated servers!

I believe I will open a support ticket as well!

--
Thanks, 
Essam