Support for OAuth2 login workflow (Enterprise Logins with SAML)? Adding Restricted Layer Fails

495
5
Jump to solution
03-10-2020 11:41 AM
pfoppe
by MVP
MVP

Problem Statement: When logged into the AGOL organization with an enterprise login through SAML, I cannot access my content that is not shared to public ('everyone').  The map viewer beta prompts for a built-in AGOL identity with a username/password.  Generally, large organizations that use enterprise logins do NOT also build built-in accounts for their users.  

I suspect the application has not been coded to support OAuth2 yet - What is OAuth 2.0? | ArcGIS for Developers 

Or is there a configuration that the AGOL Administrator can complete to allow enterprise logins to use this new solution?

Thanks!

1 Solution

Accepted Solutions
RussellRoberts1
Esri Frequent Contributor

Thanks for reporting this. We have a known issue we are working on right now and hope to have it fixed in a patch coming soon. Will let you know when it is out.

Russ

View solution in original post

5 Replies
pfoppe
by MVP
MVP

Here are steps to reproduce.  

  1. Login to the AGOL organization with an enterprise login (SAML) identity
  2. Open map viewer beta - https://<org>.maps.arcgis.com/apps/mapviewer/index.html
  3. Under Layers choose Add layer
  4. Navigate to and choose an item that is restricted (not shared to 'everyone').  
  5. Choose Add to map

Profiling the client-> server network traffic, I can observe Client requests: 

So maybe its not a lack of support for OAuth2 based logins (supporting SAML) but rather a bug with the 'add to map' workflow.  

0 Kudos
RussellRoberts1
Esri Frequent Contributor

Thanks for reporting this. We have a known issue we are working on right now and hope to have it fixed in a patch coming soon. Will let you know when it is out.

Russ

View solution in original post

pfoppe
by MVP
MVP

Thank you!

Danielle Papineau

0 Kudos
RussellRoberts1
Esri Frequent Contributor

Patch went out last night, if you can check this out today let me know if your issue has been fixed.

0 Kudos
pfoppe
by MVP
MVP

Hi Russell, 

Thank you! I can confirm success.

 

After the "Item Service Endpoint" request, the client still receives a token required message, but the client then makes subsequent API calls to describe the server 'info' page (to find the generateToken endpoint), then exchanges the 'portal token' for the 'server token'.  

Finally, the client re-executes the "Item Service Endpoint" API call with the newly generated 'server token' with success... and a whole slew of follow-up API calls while the service is added to the map.  

Thanks!

Danielle Papineau‌ & Scott Kichman