Latest Contributions by JeffSmith

Hi.  I understand your frustration with this.  There are many factors involved in some of these issues and while we try to perform testing in different configurations and scenarios, there are some that definitely get missed.  I searched through our bug fixes for 10.8.1 and found one related to SAML group membership that you might be encountering. BUG-000121049 - If an ArcGIS group links to a group in the SAML Identity Provider (IDP) is owned by a SAML user who is not listed as a member of the group in the SAML assertion response, the group membership of the user fails to update.   Since yours was working previously though and started failing after the upgrade, this may not apply to you.  Due to the complexity in this issue and since you have 2 environments that behave differently, I would recommend contacting our Support team. ... View more

Hi Wes, What release of Portal are you using?  A little over a year ago ArcGIS Online transitioned to use TLS 1.2 only for all HTTPS communication.   Included in this transition was also the requirement to use SNI (Server Name Indication).  Portal for ArcGIS releases 10.5.1 and later all support this.  Earlier releases don't though and one of the issues encountered is not being able to access a service with stored credentials from ArcGIS Online as you described.  The following article goes into more detail. FAQ: How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for ArcGIS, affected by d…  If you are using 10.5.1 or later, it would probably be best to open a support call to help you troubleshoot this further. Jeff ... View more

Hi Wes, In order to store credentials for a secured service, the service url needs to be added as an item under 'My Content'.  Assuming the Portal can access the url, you'll see the option to save the credentials.  This new item is what needs to be added to the map to avoid having to enter credentials when viewing it later on.  If you simply add the service to a map, it will prompt you to enter credentials but will not allow you to store them. Jeff ... View more

Mathias, Yes, the SAML response looks correct and matches the response I see when using ADFS.  The format of the group name that Portal expects depends on what you type in when you link the Portal group to the enterprise group.  When using SAML-based enterprise groups, there is not a way to search or query for valid groups.  The format and name of the enterprise group must be known beforehand and the user linking the Portal group just types it in.  During a login, Portal compares that with the attribute values that are passed in through the SAML assertion (case-insensitive) and adjusts membership accordingly.   Keep in mind for SAML-based groups, there is not a way to refresh the membership through portaladmin.  There is also not a regular 24-hour full refresh.  The only refresh occurs when a user logs in. Jeff ... View more

Based on the information provided in the bug, this issue cannot be reproduced.  I have tested this on 10.7 and later releases and in all cases the group membership is refreshed correctly each time the enterprise user logs in.  Access to content within those groups is updated as well.  If a user is removed from an enterprise group and the SAML assertion at the next login reflects this, the group membership within Portal gets updated and the user is not able to access content shared with the linked group. Jeff ... View more

This sounds like the pan/zoom issue observed in 10.6.1. BUG-000116195: Panning and zooming in the web map on a touch screen..  This was corrected in a patch.  My recommendation would be to have the customer install the latest security patch for Portal for ArcGIS 10.6.1 which includes the fix for that. Esri Support Portal for ArcGIS 10.6 (10.6.1)  Jeff ... View more

Ideally you should be able to import the same Thawte certificate into your Server and then configure it to use that certificate.  The documentation on how to do this is here: Configure ArcGIS Server with an existing CA-signed certificate An important thing to consider though.  This assumes the domain name for your ArcGIS Server matches the domain name where the IIS web adaptor is installed.  The certificate that was purchased from Thawte is likely for a specific domain name (ex server.domain.com).  If the domain names do not match, you can't use the same certificate (unless a wildcard certificate was purchased or the server domain name is listed in the subject-alternative name for the certificate). ... View more

Not sure if you are still seeing this issue with web-tier authentication not working but one suggestion I have would be to enable anonymous access to your 'arcgis' web adaptor and then re-register it with your Portal.  Once registered, re-enable the Windows Authentication and try it again. I've seen instances where the IIS web adaptor thinks it is registered and properly forwards the requests to Portal but Portal does not think it has a web adaptor or the web adaptor information has somehow become corrupt.  The behavior in these cases is very similar to what you described.  The web-tier authenticated user is not automatically logged into Portal.  The user has to manually type in the username/password at the sign-in window. ... View more