Community

Unable to login using Idp Error parsing 'NAME_ID' from SAML Response

9084
6
01-17-2014 03:33 AM
DustinMobley
by
New Contributor
‎01-17-2014 03:33 AM
Trying to configure Enterprise logins for our enterprise using ADFS and getting the following error when trying to login using Enterprise login.
Unable to login using Idp Error parsing 'NAME_ID' from SAML response.
Anyone else ever see this?
Tags (2)
0 Kudos
6 Replies
by Anonymous User
Not applicable
‎01-19-2014 06:31 PM
Does the NAMEID attribute in ADFS map to something with special characters?
E.g. SAM account is andr!

The NameID parameter is used to construct the account name in the system.

Cheers,
Andrew
0 Kudos
DavidCrosby
by Esri Contributor
Esri Contributor
‎02-11-2014 04:56 PM
Have you created an outgoing claim map for NameID?  You might want to confirm that you have created an outgoing LDAP claim map from UPN or SAM Account Name to NameID.  See this link for an example:

http://resources.arcgis.com/en/help/arcgisonline/index.html#/Configure_Active_Directory_Federation_S...
0 Kudos
RichardHughes2
by
Occasional Contributor III
‎08-08-2018 01:23 PM

Hello,

I am getting this error when using SAML with ADFS.  The apps that are deployed on the web server fail when using SAML, but the Collector App and Explorer App do not.

My thoughts are ranging from 1) the server is striping variables required to pass the info, 2) There is actually an issue with the SAML response, to 3) What tools should I use to debug this?  Since Collector and Explorer work, I am thinking it is related to the web server.

Are there any logs that AGOL provides which could shed light on the issue? 

0 Kudos
DanielUrbach
by
Occasional Contributor II
‎02-11-2019 09:58 AM

Richard,

There are various browser plugins you can use to view the SAML response coming back from ADFS to ensure the nameID parameter is indeed being passed and looks correct.

For Chrome, I recommend SAML Message Decoder (SAML Message Decoder - Chrome Web Store ), for FireFox, SAML Tracer (SAML-tracer – Get this Extension for Firefox (en-US) )

Are you using encrypted assertions in ADFS?  If so then these tools won't really help as the assertion will be unreadable.  If possible, turn off encrypted assertions for the relying party set up for your AGOL organization in ADFS and test signing in again.  If it works then it could be an issue with the encryption (or likely the decryption on the AGOL side).

-Danny

0 Kudos
RichardHughes2
by
Occasional Contributor III
‎03-15-2019 11:56 AM

Hi Daniel,

I have changed jobs/companies and am not working with this issue anymore.  If I get back onto the SAML and ADFS road I will post again.

Thanks!

0 Kudos
BillLeddy
by
New Contributor II
‎02-08-2019 02:51 PM

I had this issue, but only when I try to enable signed requests in the Identity Provider configuration in the ArcGIS Enterprise security settings.  Checking the "Sign using SHA256" option seems to make no difference.

 

What I have discovered is that you need to configure these settings in ArcGIS enterprise before getting the metadata to be used when configuring the Relying Party Trust in the Identity Provider Service.  Otherwise the metadata is missing the certificate information needed to handle the signed requests.   If you have the Relying party's federation metadata URL configured in the trust properties, you can "Update from Federation metadata..." after making changes to the ArcGIS Enterprise settings.  You may need to replace the token in the URL with a fresh one.

0 Kudos