It's time to update your ArcGIS Online SAML Single-Sign-On (SSO) certificate

CanserinaKurnia · ‎08-28-2024

(Updated 8/18/2025)

ArcGIS Online Organization administrators that have enabled Signed and/or Encrypted Assertions in alignment with ArcGIS Online Best Practices for SAML Security need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their SAML Identity Provider (eg. Azure Active Directory Enterprise Applications with Token Encryption) before September 19, 2025otherwise ArcGIS Online sign-ins with Enterprise (SAML) accounts will fail.

Follow the instructions in this blog article: Action Required: ArcGIS Online SAML Customers

If you encounter an issue while updating the certificate and require additional help with troubleshooting, please reach out to Esri Technical Support.

(updated 8/30/2024)

Attention to ArcGIS Online Administrators

ArcGIS Online Organization administrators that have enabled Signed and/or Encrypted Assertions in alignment with ArcGIS Online Best Practices for SAML Security need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their SAML Identity Provider.

ArcGIS Online new certificate is available now. Please refer to this blog for step-by-step instructions: https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/action-required-arcgis-online-...

The current certificate is set to expire on September 24, 2024. This action to replace the certificate requires collaboration between the ArcGIS Online administrator and the SAML Identity Provider's IT administrator. If you are not the correct contact for this matter, please forward this email to your relevant IT personnel.

We strongly recommend taking immediate actions to prevent any disruption in using SAML (SSO) for accessing your ArcGIS Online organization.

If you are not enabling Signed SAML Assertions within your ArcGIS Online organizations which will utilize certificates, then you don't have certificate; therefore certificate rotation is not required . However, moving forward, to align with industry standard best practices, we recommend you to use certificates.

Additionally, we recommend the following best practices for ArcGIS Online Administrators:

Have both SSO Admin account AND Built -in Admin account. This way, if you experience issues logging in with SSO, you can still access your account through www.arcgis.com using the built-in credentials.
Make sure the ArcGIS Online Administrative contacts are up to date in your ArcGIS Online (Settings > General) to continue receiving communications from Esri Customer Service. You can add multiple contacts.

If you encounter an issue while updating the certificate and require additional help with troubleshooting, please reach out to Esri Technical Support.

BrianCulpepper1 · ‎08-29-2024

Hello,

I've downloaded our SAML cert metadata file, but the Expiry Date on the new .xml file (cert) is still set to Sept 24, 2024. I attempted to 'update metadata' about a month ago, but esri hadn't released the new certificate yet... I downloaded a fresh .xml file today...

Any ideas?

thanks very much!

Brian - University of Arkansas ArcGIS admin

CanserinaKurnia · ‎08-29-2024

Hi Brian,

Yes, please try again. There are two certificates in the metadata ,xml file. One of them is the new one (I believe the first one listed in the metadata .xml file). Give it a try and let me know.

Cheers,
Canserina Kurnia

PatIampietro · ‎08-29-2024

Hi Rina-

I downloaded our metadata.xml file but when viewed in a text editor it contains NO certificate info, only the md:EntityDescriptor section.

Before I get our IT folks involved I'd like to make sure I have the right file to give them. Is there something else I must do?

Thanks!

-pat

BrianCulpepper1 · ‎08-29-2024

hi @CanserinaKurnia

Yes, there were 2 certificates within today's metadata.xml file but they were both the same; both expiring 9/24/24.

best regards,

brian

University of Arkansas ArcGIS admin

CherylTrine · ‎08-29-2024

I have the same issue--only the EntityDescriptor section. That is not going to update a certificate!

CanserinaKurnia · ‎08-29-2024

Brian,

Can you share your metadata .xml so I can review? ckurnia@esri.com

BrianBaldwin · ‎08-30-2024

@BrianCulpepper1 , @PatIampietro , @CherylTrine - I just pulled down one of the metadata files for a test Org - and the valid date is listed at 'Sep 25 2025'.

If you need to - please test again - but it looks like it should be updated now.

(FYI - a site I used to test the cert: https://certlogik.com/decoder/)

CanserinaKurnia · ‎08-30-2024

@PatIampietro and @CherylTrine and others,

If you don’t see the certificate when you download the ArcGIS Online metadata file, that means your organization is not using signed or encrypted SAML assertions; therefore there is no certificate, and therefore certificate rotation is not required. However, we strongly recommend enabling Signed SAML Assertions within your ArcGIS Online organizations which will utilize certificates (option in advanced settings when configuring SAML logins). It is an industry standard best practice. Here is link to Best Practices for SAML Security . The process requires ArcGIS Online certificate (by enabling Signed SAML Assertions, the metadata.xml will contain the new certificate) and the Identity system certificate. Please discuss this with your Identity IT team. They should be familiar with the practice of using certificates as mechanism to trust the transaction between two systems.

Feel free to contact Esri technical support if you need an analyst to help you along the way to implement the use of certificates for your ArcGIS Online org.

PatIampietro · ‎08-30-2024

@CanserinaKurnia Thanks! Makes sense. I'll reach out to our IT Identity folks.

JimHobbs · ‎09-17-2024

Getting invalid token error when attempting to download the meta data???

BrianCulpepper1 · ‎08-08-2025

Have the 2026 SAML Certificates (Metadata.xml) files been updated?

thanks very much,

brian

CanserinaKurnia · ‎08-11-2025

Hi @BrianCulpepper1

Not yet. Coming soon though in 1-2 weeks from now. I will let you know once the information is out.

Thanks for checking.

Canserina Kurnia

NicolasGIS · ‎08-18-2025

Hi @CanserinaKurnia ,

I have today 2 signIng certificates and my system does not seem to like it:

Is it expected ? Is is the rolling way ?

Thanks

CanserinaKurnia · ‎08-18-2025

All,

The ArcGIS Online SAML Encryption & Signing Certificate was updated over the weekend. Here is the blog article about it: Action Required: ArcGIS Online SAML Customers.

I updated the above blog as well. Pls contact Esri Tech Support if you encounter any problem.

(Note: @BrianCulpepper1 and @NicolasGIS )

JSMR · ‎08-27-2025

Hi @CanserinaKurnia,

We are currently unable to import the new certificates as they do not comply with the security requirements of our IDP.

As IDP we use DFN-AAI. When we try to import the new encryption & signing certificate we encounter the following error:

"The key length (2048) for the certificate CN=saml-idp.arcgis.com, O=Environmental Systems Research Institute, Inc., L=Redlands, ST=California, C=US is too short. The expected minimum length is 3072 bits."

This is in accordance with the relevant documentation:
en:certificates [Dokumentation DFN-AAI, DFN-PKI und eduroam]

The new RSA keys issued by ESRI fail to meet current security recommendations set by the German Federal Office for Information Security (BSI):

Cryptographic Mechanisms: Recommendations and Key Lengths, Version 2025-01 (p. 30)

The current keys are 4096 bits in length.
Is there any reason why the new keys are shorter (2048) than the old ones?

We already contacted technical support but were referred here.

BrianBaldwin · ‎08-27-2025

@JSMR - Thanks so much for reaching out about this. I let our internal 'AGOL' team know about this and they are working on it. Sorry that technical support referred you 'here' - not the best solution.

We will provide some updates ASAP.

BrianBaldwin · ‎08-28-2025

@JSMR , @NicolasGIS , @BrianCulpepper1 - Just an FYI - you should have received this e-mail today:

The new ArcGIS Online Security Assertion Markup Language (SAML) signing and encryption certificate, released on August 18, 2025, contains an unintentional regression in key length. As a result, your identity provider (IDP) may no longer be able to discover or validate this certificate as previously expected.

To resolve this issue, we will be retiring the newly released certificate and providing a revised certificate on September 2, 2025 (Pacific time). If you have not yet applied the newly released certificate, please wait until the revised certificate is available.

If you applied the certificate released on August 18, you must revert to the previous certificate before September 3, 2025, to avoid disruption to your SAML authentication. If you are not able to take this action, please contact Esri Technical Support. After reversion, please be sure to apply the revised certificate by September 19, 2025.

If you have not updated the certificate, please be sure to apply the revised certificate on or after September 3, 2025, and no later than September 19, 2025, to continue using your enterprise IDP with your ArcGIS Online subscription.

If you have any questions, please contact Esri Technical Support.