Unable to Generate Tokens using SAML enterprise accounts

1347
7
05-06-2021 06:48 PM
TigerWoulds
Occasional Contributor III

Running a Federated 1081 Enterprise deployment with Azure AD as our identity store. 

I am unable to generate a token using our enterprise login credentials. Tested from https://webadaptor.domain.com/arcgis/sharing/rest/generateToken

But I get this error:

TigerWoulds_0-1620351958762.png

It does work if I use a built in account that isnt tied to our IDP. Any ideas why this happening?

0 Kudos
7 Replies
ChristopherPawlyszyn
Esri Contributor

When using an external identity provider via either SAML or OpenID Connect, Portal for ArcGIS (as the service provider) has no connection to the user's credentials. The authentication process is handled by the return of the properties within the SAML assertion/response and mapped to appropriate values within the Portal user's profile. With that being the case, token generation at the Sharing/REST endpoint is not possible for those users and would need to be generated via the OAuth2 mechanism. I've attached a common workflow for the Python API that explains the process in a bit more detail.

Hope that helps!

 

User authentication with OAuth 2.0 | Working with different authentication schemes | ArcGIS API for Python

https://developers.arcgis.com/python/guide/working-with-different-authentication-schemes/

0 Kudos
TigerWoulds
Occasional Contributor III

Okay thanks. What's interesting is that we do have another 1081 deployment with Azure AD as our IDP - and I can generate tokens using enterprise accounts. 

0 Kudos
Carlos_ArturoSarmiento_Royero
New Contributor II

Hello friend, were you able to solve the problem? I have the same problem.

0 Kudos
TigerWoulds
Occasional Contributor III

Unfortunately no. Here is my original problem that prompted this question. We were trying to generate a token to authenticate into a Web AppBuilder app. This did not work without using OAuth instead of generate token. Maybe this might help:

Re: WebApp Builder on IIS - Login only works with ... - Esri Community

0 Kudos
Carlos_ArturoSarmiento_Royero
New Contributor II

Thanks for your answer. Is it possible to somehow inject credentials through oauth so that the user does not have to authenticate through a page?

0 Kudos
TigerWoulds
Occasional Contributor III

Other than making the app, map, and services public no. Depending on what you're doing, I've seen folks use a proxy file on a websever to bypass the login. 

Proxy pages with the API | ArcGIS API for JavaScript

0 Kudos
julian_svcs
New Contributor III

I was able to implement the OAuth connection using the client_id. Is there a way to do this in an automated standalone python file (possibly through REST calls) which is seemless and does not require me to enter the OAuth2 approval code?

I want to be able to connect to multiple Portals via a script tool within a Toolbox.

0 Kudos