Latest Contributions by JeffSmith

Thanks for checking.  From your previous message it looks like you have all three of your SAML-TEST groups linked to the same 'gis-esriportal' group.  Is that correct?  There is an outstanding issue related to having multiple Portal groups linked to a single SAML enterprise group.  The behavior is inconsistent.  Can you confirm in your production environment if you have more than one Portal group linked to a single SAML group? ... View more

Based on the logs it looks like you might have a "Windows" group store configuration defined in Portaladmin > Security > Config.  Can you double-check that?  The refresh group membership logs that are appearing when it fails are unique to Windows or LDAP group store configurations.  The SAML enterprise group logs match the first one and the last one where it worked.   Currently it is possible to enable SAML enterprise groups when you configure SAML and also have an Active Directory or LDAP group store defined in portaladmin.  When this happens they conflict with each other and you see weird results.  We are working on an enhancement to only allow one or the other. ... View more

Nicholas, I agree with you.  It sounds like it has something to do with the old accounts that have been upgraded from earlier releases.  Have the enterprise accounts on your production system been through multiple upgrades or were those accounts created at 10.7.1?   I can't think of too much that was added for users between 10.7.1 and 10.8 but if they are older, there could be something else.  The group refresh is supposed to occur every time a user logs in, not just when the account gets created.  The debug logs should reveal the group refresh during login.  Do you see anything there? ... View more

Hi.  I understand your frustration with this.  There are many factors involved in some of these issues and while we try to perform testing in different configurations and scenarios, there are some that definitely get missed.  I searched through our bug fixes for 10.8.1 and found one related to SAML group membership that you might be encountering. BUG-000121049 - If an ArcGIS group links to a group in the SAML Identity Provider (IDP) is owned by a SAML user who is not listed as a member of the group in the SAML assertion response, the group membership of the user fails to update.   Since yours was working previously though and started failing after the upgrade, this may not apply to you.  Due to the complexity in this issue and since you have 2 environments that behave differently, I would recommend contacting our Support team. ... View more

Hi Wes, What release of Portal are you using?  A little over a year ago ArcGIS Online transitioned to use TLS 1.2 only for all HTTPS communication.   Included in this transition was also the requirement to use SNI (Server Name Indication).  Portal for ArcGIS releases 10.5.1 and later all support this.  Earlier releases don't though and one of the issues encountered is not being able to access a service with stored credentials from ArcGIS Online as you described.  The following article goes into more detail. FAQ: How is ArcGIS Enterprise and its associated software components, ArcGIS Server and Portal for ArcGIS, affected by d…  If you are using 10.5.1 or later, it would probably be best to open a support call to help you troubleshoot this further. Jeff ... View more

Hi Guillaume, Both of those methods should work fine to invalidate tokens.  The urls just need to be adjusted to match your Portal url. https://yourportal.domain.com/web_adaptor/sharing/rest/oauth2/revokeToken and https://yourportal.domain.com/web_adaptor/sharing/rest/community/users/<username>/invalidateSessions Keep in mind that these only invalidate OAuth tokens.  They cannot be used to invalidate tokens created through the generateToken operation. Jeff ... View more

Hi Wes, In order to store credentials for a secured service, the service url needs to be added as an item under 'My Content'.  Assuming the Portal can access the url, you'll see the option to save the credentials.  This new item is what needs to be added to the map to avoid having to enter credentials when viewing it later on.  If you simply add the service to a map, it will prompt you to enter credentials but will not allow you to store them. Jeff ... View more

Mathias, Yes, the SAML response looks correct and matches the response I see when using ADFS.  The format of the group name that Portal expects depends on what you type in when you link the Portal group to the enterprise group.  When using SAML-based enterprise groups, there is not a way to search or query for valid groups.  The format and name of the enterprise group must be known beforehand and the user linking the Portal group just types it in.  During a login, Portal compares that with the attribute values that are passed in through the SAML assertion (case-insensitive) and adjusts membership accordingly.   Keep in mind for SAML-based groups, there is not a way to refresh the membership through portaladmin.  There is also not a regular 24-hour full refresh.  The only refresh occurs when a user logs in. Jeff ... View more

Based on the information provided in the bug, this issue cannot be reproduced.  I have tested this on 10.7 and later releases and in all cases the group membership is refreshed correctly each time the enterprise user logs in.  Access to content within those groups is updated as well.  If a user is removed from an enterprise group and the SAML assertion at the next login reflects this, the group membership within Portal gets updated and the user is not able to access content shared with the linked group. Jeff ... View more

This sounds like the pan/zoom issue observed in 10.6.1. BUG-000116195: Panning and zooming in the web map on a touch screen..  This was corrected in a patch.  My recommendation would be to have the customer install the latest security patch for Portal for ArcGIS 10.6.1 which includes the fix for that. Esri Support Portal for ArcGIS 10.6 (10.6.1)  Jeff ... View more

Ideally you should be able to import the same Thawte certificate into your Server and then configure it to use that certificate.  The documentation on how to do this is here: Configure ArcGIS Server with an existing CA-signed certificate An important thing to consider though.  This assumes the domain name for your ArcGIS Server matches the domain name where the IIS web adaptor is installed.  The certificate that was purchased from Thawte is likely for a specific domain name (ex server.domain.com).  If the domain names do not match, you can't use the same certificate (unless a wildcard certificate was purchased or the server domain name is listed in the subject-alternative name for the certificate). ... View more

Not sure if you are still seeing this issue with web-tier authentication not working but one suggestion I have would be to enable anonymous access to your 'arcgis' web adaptor and then re-register it with your Portal.  Once registered, re-enable the Windows Authentication and try it again. I've seen instances where the IIS web adaptor thinks it is registered and properly forwards the requests to Portal but Portal does not think it has a web adaptor or the web adaptor information has somehow become corrupt.  The behavior in these cases is very similar to what you described.  The web-tier authenticated user is not automatically logged into Portal.  The user has to manually type in the username/password at the sign-in window. ... View more

Hi Nicole, Yes, both ArcMap and ArcCatalog should work fine with basic authentication.  Is ArcGIS Server configured to expect basic authentication (ie web-tier authentication)?  An easy check should be to access the rest/info page: https://externalurl.domain.com/server_wa/rest/info Under authentication information, one of the parameters is "Is Token Based Security".  Is this true or false?  ... View more

When setting up a collaboration between Enterprise and Online, you don't need to worry about the certificate trust.  Online uses certificates signed by DigiCert and your Enterprise already trusts those.  Since your Enterprise is on an internal network, all network communication will be initiated from your Enterprise so Online will not need to trust your internal domain CA certificates. ... View more