Community
Select to view content in your preferred language

AGOL: OIDC username not consistant with SAML username

506
5
11-18-2024 10:41 PM
NicolasGIS
by
Honored Contributor
‎11-18-2024 10:41 PM

Hello,

Now that group membership have been enabled on AGOL for OIDC provider, we would like to switch authentication provider from SAML to OIDC.

But I noticed a difference of behavior between SAML and OIDC providers which is a bit confusing.

Let's say my organization username is "guineapig" and my organization name is "MYORG" (ie: AGOL URL is https://MYORG.maps.arcgis.com)

Currently, if I log in with SAML, my AGOL username will be "guineapig_MYORG" which is fine.

But if I log in with OIDC, my AGOL username will be "guineapig4" solely. As you can see, an integer was added at the end because "guineapig" already exists in AGOL as a built-in account so my username is mapped to "guineapig4" instead of "guineapig" or "guineapig_MYORG".

I would prefer the SAML way of adding the organization suffix to make it unique. I looked everywhere and it does not seem to be configurable. But why is there this difference of behavior ?

Is that a BUG or a feature ? I am confused.

Thanks,

Nicolas

5 Replies
CMV_Erik
by
Frequent Contributor
‎11-19-2024 05:02 PM

I think it may be a bug that affects SAML as well. I tried to add a number of users today using CSV file and it seemed to work. They reported they couldn't log in so I went back and looked and most of the username was missing. Tried again and saw numbers appended to all user accounts, and there was not way to change them. I was able to add the user manually, but that's the first time I've needed to in years.

This is the first user I've attempted to add a user since the upgrade last week, so I assume this is a bug introduced by the upgrade

 

EDIT: I opened a ticket and support alluded to a new bug affecting multiple users, but I didn't get the specifics. 

My own problem was resolved by changing the field names to the latest template. All I'm sure of is that something just changed in the process that creates new users...

0 Kudos
NicolasGIS
by
Honored Contributor
‎11-20-2024 03:07 AM

Hmm strange indeed.

My issue was mainly with OIDC on my side.

For SAML, it is documented that the organization short name is appended on AGOL :

 

All organization-specific usernames in ArcGIS Online have the organization short name appended to the end

 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/configuring-a-saml-compliant-ident...

Strangely, I was not able to find this piece of information on AGOL documentation but only in ArcGIS Enterprise stating that it is possible to do the same thank to the "defaultIDPUsernameSuffix" property.

But I wonder why it is not the case with OIDC. What is the logic behind ?

0 Kudos
RajkumarPadmanabhan
by Esri Contributor
Esri Contributor
‎07-07-2025 04:58 AM

@NicolasGIS Do you just desire the userame formats to look similar or are you hoping to reuse the same account when migrating from SAML to OIDC (in order to avoid the need to transfer data\roles\etc)?

0 Kudos
NicolasGIS
by
Honored Contributor
‎08-18-2025 07:17 AM

@RajkumarPadmanabhan, do you now understand the issue and the difference of behavior ? Any logical explanations to that ? We just have a fresh AGOL instance created in Europe for privacy reason and would like to start on a good foot with OIDC but we can't because of this.

User will wonder why am I `alastname7823`  ?  So we are considering back SAML as idp which would be a step backward. On ArcGIS Enterprise, we do not have this issue of course.

Any recommandations ? Should an Idea be created ? A support case ?

Thanks

0 Kudos
NicolasGIS
by
Honored Contributor
‎07-11-2025 08:38 AM

Thanks for your reply @RajkumarPadmanabhan . I would like the same user format. Not an issue about migrating from SAML to OIDC. Do you see what I mean ? Did I miss anything documentation wise ? Thanks

0 Kudos