Unable to Generate Tokens using SAML enterprise accounts

05-06-2021 06:48 PM
Occasional Contributor II

Running a Federated 1081 Enterprise deployment with Azure AD as our identity store. 

I am unable to generate a token using our enterprise login credentials. Tested from https://webadaptor.domain.com/arcgis/sharing/rest/generateToken

But I get this error:


It does work if I use a built in account that isnt tied to our IDP. Any ideas why this happening?

0 Kudos
2 Replies
Esri Contributor

When using an external identity provider via either SAML or OpenID Connect, Portal for ArcGIS (as the service provider) has no connection to the user's credentials. The authentication process is handled by the return of the properties within the SAML assertion/response and mapped to appropriate values within the Portal user's profile. With that being the case, token generation at the Sharing/REST endpoint is not possible for those users and would need to be generated via the OAuth2 mechanism. I've attached a common workflow for the Python API that explains the process in a bit more detail.

Hope that helps!


User authentication with OAuth 2.0 | Working with different authentication schemes | ArcGIS API for Python


0 Kudos
Occasional Contributor II

Okay thanks. What's interesting is that we do have another 1081 deployment with Azure AD as our IDP - and I can generate tokens using enterprise accounts. 

0 Kudos