Latest Contributions by DanielUrbach

Alex, I only mentioned Firefox because up until a few minutes ago, every Chrome extension I tested wouldn't actually capture the SAML traffic from AGOL (this is due to the fact that we open a second tab for the SAML interactions).  It looks like the "SAML Message Decoder" extension does work and it's what I will be using moving forward! Either way, can you confirm if your organization is indeed using encrypted assertions?  You could check the "Edit Identity Provider" settings in your organization's security settings page to confirm this.  If so, this would explain why you didn't see "nameid" in the SAML response, as it would be encrypted.  If this is the case, as a test you might turn off encrypted assertions there and have your ADFS admin temporarily disable them on the ADFS side, then capture the SAML response from a failed login attempt. An easier first step may be to simply re-establish the relying-party trust between AGOL and ADFS.  It's generally pretty painless and won't affect the SAML-based users you have already created in AGOL, so long as the attributes currently mapped in ADFS remain the same.  See Configure Active Directory Federation Services—ArcGIS Online Help | ArcGIS  for details on how to do this. -Danny ... View more

Alex, That error generally indicates that the Portal (or AGOL) did not receive a nameID attribute in the SAML response sent from your ADFS. If you happen to have Firefox, you can install a handy SAML troubleshooting tool called SAML Tracer, which will let you view the SAML response that is sent back upon authentication with ADFS (the SAML response and request are denoted in SAML Tracer with an orange "SAML" tag on the right side of the window.  Looking at that SAML response after getting this error, do you see the NameID attribute?  If not, it indicates that ADFS is not sending that attribute and in that case it might be worth having your ADFS admin take a look at the Windows Event logs for that ADFS machine.  It's probably also a good idea to confirm if this is happening to other users as well, or just your user, as that might help your ADFS administrators to narrow down the issue. Do you have multiple ADFS instances behind a load-balancer?  Because of the intermittent nature of the issue, it could indicate that one of the instances may not be handling requests properly. -Danny ... View more

Hello Lee, I recommend taking a look at the following documentation page if you have not already: Using a reverse proxy server with ArcGIS Server—ArcGIS Server Administration (Windows) | ArcGIS Enterprise  You will need to set the webContextURL property in ArcGIS Server so it will work properly with your reverse proxy. -Danny ... View more

Hello Andrew, You won't be able to use both Windows authentication AND SAML in your Portal. If you want your users to be able to use their Windows credentials AND logout, I recommend only using SAML authentication as this will still leverage those accounts. -Danny ... View more

You are correct, the web adaptor is a reverse proxy.  Is your ArcGIS Server web adaptor in the DMZ?  If it is, are the layers being used in your map viewer being accessed via the web adaptor URL or the internal (https://host.domain.com:6443/arcgis) address? ... View more

Shelby, I understand that you cannot make the changes in the IdP. The reason I don't believe that particular defect is blocking you from sharing content to a SAML-linked group is that the NameID is only used to generate the username for the SAML-based user in Portal.  The fact that you are able to sign in successfully makes me think that that defect is not affecting this issue. Was your Portal upgraded to 10.6.1 or was it a fresh installation? If you go to https://<Portal FQDN>/<webadaptor>/sharing/rest/community/users/<SAML user>, is the group linked to a SAML group listed under User Groups? -Danny ... View more

Shelby, I'm not entirely sure that bug would affect group membership to be honest. Having said that, what identity provider are you using?  Most identity providers can be configured to send the nameid as SAML:2.0, effectively bypassing that defect. -Danny ... View more

When you say you can see the group, is that under "My Groups" or "My Organization's Groups"? What attribute name are you using for the attribute chosen for group membership (e.g. <Attribute name="Group"> in the SAML response) -Danny ... View more

Hello! Can you confirm the following: 1) What version of SuSE are you using? 2) Can you confirm that the user you used to install ArcGIS Server has read/write access to /tmp and full permissions (at least 700) for the installation path of ArcGIS Server and the config-store/directory paths you mentioned 3) Is /hana/Esri mounted from NFS or is it a local disk? -Danny ... View more

Technically speaking, using a network file location for your ArcGIS Server logs is not a supported configuration.  See About specifying server log settings—ArcGIS Server Administration (Windows) | ArcGIS Enterprise  Specifically this line: "The log path must be set to a local directory and exist on each GIS server participating in your ArcGIS Server site." The .lck files are most likely generated by your NAS. -Danny ... View more

Dayanidhi Khanda‌ Can you confirm that permissions to the C:\Python27 folder are correct for the user running ArcGIS Server?  The user should have full control on this directory.  Also I recommend going into that folder and confirming that the same user has full control over C:\Python27\ArcGISx6410.2, as I have seen this behavior occur when this particular subdirectory did not have the right permissions. If those permissions are set, I also recommend you confirm whether there are any Python paths in the system environmental variables or the environmental variables for the user running ArcGIS Server.  If there are variables set, you should add C:\Python27\ArcGISx6410.2 to the front of that path, or remove the path altogether from the variable. Jayanta Poddar‌ The locks folder did not exist before ArcGIS Server version 10.4 ... View more

Hello Tobias! You are correct, it is not possible to specify an itemID or modify an existing one, although I do see some potential value in doing so for certain use cases. If it does not already exist, I would recommend posting an idea for this here on GeoNet. -Danny ... View more

Elliot, Is Apache using AJP to proxy to Tomcat?  I've had success registering the web adaptor on Tomcat when it is listening on 8443 with this configuration. -Danny ... View more

Patrick, I would say that is your best bet.  You could use Portalpy for that: GitHub - Esri/portalpy: A module that allows you to administer Portal for ArcGIS and ArcGIS Online.  This works for all versions of Portal. ... View more