SAML reply-url error after 10.9 upgrade

AndrewRitchie · ‎07-11-2021

Hi all,

We've just upgraded from Enterprise 10.8.1 to 10.9, everything is working fine, except getting an error when trying to log in using Azure AD/SAML authentication, which had previously worked fine.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'XXX.XXX.XXX.portal'.

Using Chrome Dev tools, I can see the reply-url being passed is

/portal/home/accountswitcher-callback.html

However the only reply-url we have set up, and that I can find a documented reference to is:

/portal/sharing/rest/oauth2/saml/signin

I've asked our Azure admins to add a second reply-url, which I'm assuming will resolve the problem, but just wanted to document our issue in case others experience the same, or in case someone can show me where I've missed instructions 🙂

ChristopherPawlyszyn · ‎07-12-2021

Is the behavior present when initiating sign-in from the identity provider (button in AzureAD enterprise applications) or service provider (accessing sign-on page from Portal and being redirected to the IDP)?

I haven't seen this particular behavior previously, but do remember there was some inconsistent information on an Azure tutorial for ArcGIS Online/Enterprise logins and the IDP-initiated sign-on endpoint.

-- Chris Pawlyszyn

AndrewRitchie · ‎08-04-2021

Coming back to update this - I don't know what the problem was in the end.

But I ended up uninstalling and reinstalling the web adaptor, and it was happy again straight away.