Hello,
I am getting this error when using SAML with ADFS. The apps that are deployed on the web server fail when using SAML, but the Collector App and Explorer App do not.
My thoughts are ranging from 1) the server is striping variables required to pass the info, 2) There is actually an issue with the SAML response, to 3) What tools should I use to debug this? Since Collector and Explorer work, I am thinking it is related to the web server.
Are there any logs that AGOL provides which could shed light on the issue?
Richard,
There are various browser plugins you can use to view the SAML response coming back from ADFS to ensure the nameID parameter is indeed being passed and looks correct.
For Chrome, I recommend SAML Message Decoder (SAML Message Decoder - Chrome Web Store ), for FireFox, SAML Tracer (SAML-tracer – Get this Extension for Firefox (en-US) )
Are you using encrypted assertions in ADFS? If so then these tools won't really help as the assertion will be unreadable. If possible, turn off encrypted assertions for the relying party set up for your AGOL organization in ADFS and test signing in again. If it works then it could be an issue with the encryption (or likely the decryption on the AGOL side).
-Danny
Hi Daniel,
I have changed jobs/companies and am not working with this issue anymore. If I get back onto the SAML and ADFS road I will post again.
Thanks!
I had this issue, but only when I try to enable signed requests in the Identity Provider configuration in the ArcGIS Enterprise security settings. Checking the "Sign using SHA256" option seems to make no difference.
What I have discovered is that you need to configure these settings in ArcGIS enterprise before getting the metadata to be used when configuring the Relying Party Trust in the Identity Provider Service. Otherwise the metadata is missing the certificate information needed to handle the signed requests. If you have the Relying party's federation metadata URL configured in the trust properties, you can "Update from Federation metadata..." after making changes to the ArcGIS Enterprise settings. You may need to replace the token in the URL with a fresh one.