Unable to Generate Tokens using SAML enterprise accounts

tigerwoulds · ‎05-06-2021

Running a Federated 1081 Enterprise deployment with Azure AD as our identity store.

I am unable to generate a token using our enterprise login credentials. Tested from https://webadaptor.domain.com/arcgis/sharing/rest/generateToken

But I get this error:

It does work if I use a built in account that isnt tied to our IDP. Any ideas why this happening?

Scott_Tansley · ‎03-30-2023

At 10.9.x or higher, you can login to the admin pages using SAML2. Before then the portal admin pages needed a built in user.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

View solution in original post

ChristopherPawlyszyn · ‎05-07-2021

When using an external identity provider via either SAML or OpenID Connect, Portal for ArcGIS (as the service provider) has no connection to the user's credentials. The authentication process is handled by the return of the properties within the SAML assertion/response and mapped to appropriate values within the Portal user's profile. With that being the case, token generation at the Sharing/REST endpoint is not possible for those users and would need to be generated via the OAuth2 mechanism. I've attached a common workflow for the Python API that explains the process in a bit more detail.

Hope that helps!

User authentication with OAuth 2.0 | Working with different authentication schemes | ArcGIS API for Python

https://developers.arcgis.com/python/guide/working-with-different-authentication-schemes/

-- Chris Pawlyszyn

tigerwoulds · ‎05-07-2021

Okay thanks. What's interesting is that we do have another 1081 deployment with Azure AD as our IDP - and I can generate tokens using enterprise accounts.

Carlos_ArturoSarmiento_Royero · ‎09-23-2021

Hello friend, were you able to solve the problem? I have the same problem.

tigerwoulds · ‎09-24-2021

Unfortunately no. Here is my original problem that prompted this question. We were trying to generate a token to authenticate into a Web AppBuilder app. This did not work without using OAuth instead of generate token. Maybe this might help:

Re: WebApp Builder on IIS - Login only works with ... - Esri Community

Carlos_ArturoSarmiento_Royero · ‎09-24-2021

Thanks for your answer. Is it possible to somehow inject credentials through oauth so that the user does not have to authenticate through a page?

tigerwoulds · ‎09-24-2021

Other than making the app, map, and services public no. Depending on what you're doing, I've seen folks use a proxy file on a websever to bypass the login.

Proxy pages with the API | ArcGIS API for JavaScript

julian_svcs · ‎10-28-2021

I was able to implement the OAuth connection using the client_id. Is there a way to do this in an automated standalone python file (possibly through REST calls) which is seemless and does not require me to enter the OAuth2 approval code?

I want to be able to connect to multiple Portals via a script tool within a Toolbox.

MichaelNüßlein · ‎03-30-2023

Hi Julian,

your post is a little bit old in the meantime, still i want to ask if you have a solution for your problem? Because i have the same problem

julian_svcs · ‎03-30-2023

Hi @MichaelNüßlein. Unfortunately not if you are using enterprise logins through SAML. The automation only works if you use a built in Portal account.