Community
Select to view content in your preferred language

Unable to Generate Tokens using SAML enterprise accounts

5709
15
Jump to solution
05-06-2021 06:48 PM
tigerwoulds
by
Frequent Contributor
‎05-06-2021 06:48 PM

Running a Federated 1081 Enterprise deployment with Azure AD as our identity store. 

I am unable to generate a token using our enterprise login credentials. Tested from https://webadaptor.domain.com/arcgis/sharing/rest/generateToken

But I get this error:

TigerWoulds_0-1620351958762.png

It does work if I use a built in account that isnt tied to our IDP. Any ideas why this happening?

15 Replies
Scott_Tansley
by MVP Regular Contributor
MVP Regular Contributor
‎03-30-2023 01:44 PM

At 10.9.x or higher, you can login to the admin pages using SAML2.  Before then the portal admin pages needed a built in user.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
MichaelNüßlein
by
Occasional Contributor
‎03-30-2023 11:21 PM

Dear Scott,

 

thank you for your response. We are working with 10.9.1 and our SAML-login manually works good. But i want to use the SAML login within a script on linux to automatically test the validity of the SAML signin certificate. 

0 Kudos
Scott_Tansley
by MVP Regular Contributor
MVP Regular Contributor
‎04-01-2023 01:20 AM

I'm not a Python expert, but I would imagine you would need to find a set of libraries for supporting SAML2 due to the many interactions.  I'm not sure I've come across this use-case before.  Typically, scripts, because they are not human and so use OAuth (ArcGIS Token) account.  Note that SAML2 largely represents human users.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
julian_svcs
by
Frequent Contributor
‎04-02-2023 03:10 PM

@MichaelNüßlein, you may have seen this already, but here are all the options on how to connect using different authentication schemes:

https://developers.arcgis.com/python/guide/working-with-different-authentication-schemes/

 

AndresCastillo
by MVP Regular Contributor
MVP Regular Contributor
‎07-24-2024 03:38 PM

I was trying to login to a saml account via arcpy signintoportal gp tool, but it is not supported:
https://community.esri.com/t5/arcgis-pro-ideas/support-for-enterprise-login-in-arcpy/idi-p/1015426

"We won't be able to support SAML logins because they can use different identity providers (PKI or IWA). The workaround already mentioned works—start ArcGIS Pro, sign in manually, and select the 'sign me in automatically' button"

 

Also, I tried authenticating directly to the saml account with the generateToken api, which is called by arcpy signintoportal under the hood, but also not supported:

https://support.esri.com/en-us/knowledge-base/problem-unable-to-generate-tokens-using-arcgis-enterpr...

"This issue is by design. It is not possible to allow token-based security with SAML-authenticated accounts without undermining the security provided by the SAML identity provider."

0 Kudos