It's time to update your ArcGIS Online SAML Single-Sign-On (SSO) certificate

CanserinaKurnia · ‎08-28-2024

(updated 8/30/2024)

Attention to ArcGIS Online Administrators

ArcGIS Online Organization administrators that have enabled Signed and/or Encrypted Assertions in alignment with ArcGIS Online Best Practices for SAML Security need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their SAML Identity Provider.

ArcGIS Online new certificate is available now. Please refer to this blog for step-by-step instructions: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/action-required-arcgis-online-...

The current certificate is set to expire on September 24, 2024. This action to replace the certificate requires collaboration between the ArcGIS Online administrator and the SAML Identity Provider's IT administrator. If you are not the correct contact for this matter, please forward this email to your relevant IT personnel.

We strongly recommend taking immediate actions to prevent any disruption in using SAML (SSO) for accessing your ArcGIS Online organization.

If you are not enabling Signed SAML Assertions within your ArcGIS Online organizations which will utilize certificates, then you don't have certificate; therefore certificate rotation is not required . However, moving forward, to align with industry standard best practices, we recommend you to use certificates.

Additionally, we recommend the following best practices for ArcGIS Online Administrators:

Have both SSO Admin account AND Built -in Admin account. This way, if you experience issues logging in with SSO, you can still access your account through www.arcgis.com using the built-in credentials.
Make sure the ArcGIS Online Administrative contacts are up to date in your ArcGIS Online (Settings > General) to continue receiving communications from Esri Customer Service. You can add multiple contacts.

If you encounter an issue while updating the certificate and require additional help with troubleshooting, please reach out to Esri Technical Support.

BrianCulpepper1 · ‎08-29-2024

Hello,

I've downloaded our SAML cert metadata file, but the Expiry Date on the new .xml file (cert) is still set to Sept 24, 2024. I attempted to 'update metadata' about a month ago, but esri hadn't released the new certificate yet... I downloaded a fresh .xml file today...

Any ideas?

thanks very much!

Brian - University of Arkansas ArcGIS admin

CanserinaKurnia · ‎08-29-2024

Hi Brian,

Yes, please try again. There are two certificates in the metadata ,xml file. One of them is the new one (I believe the first one listed in the metadata .xml file). Give it a try and let me know.

Cheers,
Canserina Kurnia

PatIampietro · ‎08-29-2024

Hi Rina-

I downloaded our metadata.xml file but when viewed in a text editor it contains NO certificate info, only the md:EntityDescriptor section.

Before I get our IT folks involved I'd like to make sure I have the right file to give them. Is there something else I must do?

Thanks!

-pat

BrianCulpepper1 · ‎08-29-2024

hi @CanserinaKurnia

Yes, there were 2 certificates within today's metadata.xml file but they were both the same; both expiring 9/24/24.

best regards,

brian

University of Arkansas ArcGIS admin

CherylTrine · ‎08-29-2024

I have the same issue--only the EntityDescriptor section. That is not going to update a certificate!

CanserinaKurnia · ‎08-29-2024

Brian,

Can you share your metadata .xml so I can review? ckurnia@esri.com

BrianBaldwin · ‎08-30-2024

@BrianCulpepper1 , @PatIampietro , @CherylTrine - I just pulled down one of the metadata files for a test Org - and the valid date is listed at 'Sep 25 2025'.

If you need to - please test again - but it looks like it should be updated now.

(FYI - a site I used to test the cert: https://certlogik.com/decoder/)

CanserinaKurnia · ‎08-30-2024

@PatIampietro and @CherylTrine and others,

If you don’t see the certificate when you download the ArcGIS Online metadata file, that means your organization is not using signed or encrypted SAML assertions; therefore there is no certificate, and therefore certificate rotation is not required. However, we strongly recommend enabling Signed SAML Assertions within your ArcGIS Online organizations which will utilize certificates (option in advanced settings when configuring SAML logins). It is an industry standard best practice. Here is link to Best Practices for SAML Security . The process requires ArcGIS Online certificate (by enabling Signed SAML Assertions, the metadata.xml will contain the new certificate) and the Identity system certificate. Please discuss this with your Identity IT team. They should be familiar with the practice of using certificates as mechanism to trust the transaction between two systems.

Feel free to contact Esri technical support if you need an analyst to help you along the way to implement the use of certificates for your ArcGIS Online org.

PatIampietro · ‎08-30-2024

@CanserinaKurnia Thanks! Makes sense. I'll reach out to our IT Identity folks.

JimHobbs

Getting invalid token error when attempting to download the meta data???