Can't send invites on email

KasperLidén_Kjærbo · ‎08-07-2013

We're using ArcGIS.com for Organisations, including Enterprise login (via ADFS).

An ESRI Global Account was associated to the Organisation before we were using Enteprise login. After the Enterprise login was set up, I promoted some of the Enterprise accounts to administrators and removed all other accounts that were not coming from the Enterprise login.

Now its no longer possible to send invites on email to new users and therefore we're not able to create new users that are not coming from the Enterprise.

This thread http://forums.arcgis.com/threads/89972-Can-login-on-Arcgis.com-but-not-on-Ipad-App mentiones the problem, but not a solution.

How can I create new (ESRI account) users when using the Enterprise login setup?

- Kasper

KasperLidén_Kjærbo · ‎08-14-2013

Okay, here is an update:

Go to "Edit settings" => Security tab => Edit Identity Provider.

I forgot to set til option "Your users will be able to join:" to "Automatically" instead of "Upon invitation from an administrator".

When this option was changed I was able to logon using AD FS.

An other admin changed my user role to Admin.

This re-creation procedure of the user ensured the correct data was transfered from the AD FS to AGO - including the my email I guess.

Now I'm able to send invites on email!!!

Thanks a lot.

- Kasper

View solution in original post

LalithaPidaparthi · ‎08-08-2013

Kasper,

Have you configured email address to be returned in the SAML assertion from your AD FS as indicated in the help link below?

http://resourcs.arcgis.com/en/help/main/10.2/#/Configuring_Active_Directory_Federation_Services_2_0/...

ArcGIS Online uses email received from ADFS and populates the email address of the ArcGIS Online user account. It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

If you have not configured email addresses as mentioned in the above link and if you do not have any non-enterprise ArcGIS Online administrators, please do the following:

1. Follow the instructions mentioned in the link above and configure your AD FS to return email addresses in the SAML assertions.
2. Login to your organization with an enterprise user that is an administrator on ArcGIS Online.
3. Click the My Organization button at the top of the site. Your organization page opens.
4. Click the Edit Settings button.
5.Click the Security link on the left side of the page.
6. Within the Enterprise Logins section, click the Edit Identity Provider button.
7. Choose "Automatically" radio button under the section titled "Your users will be able to join:". This will let any user from your AD FS login to ArcGIS Online as opposed to allowing upon invitations. This should be set back to "Upon receiving Invitations from administrators" after you are done with the steps mentioned here as this will allow your organization admin to choose who can login to your organization.
8. Go to Organization users, delete one of the administrators and try login using the same enterprise user to AGOL again or login using some other enterprise user form your AD FS. Make this user an administrator on your organization. Re-logging will populate the email address received in the SAML assertion in the corresponding AGOL account.
9. Change the way enterprise users can login to AGOL to "Upon receiving Invitations from administrators" back.
10. Check if you can invite users to organization using the user from step# 8 above.

Let me know if you have any questions or run into any issues.

-Lalitha.

KasperLidén_Kjærbo · ‎08-11-2013

Hi Lalitha,

I've followed your guide without any luck - I'm still not able to send invitations on e-mail to neither addresses inside or outside the enterprise user store.

- Kasper

LalithaPidaparthi · ‎08-12-2013

Kasper,

Did you change your AD FS to send email address attribute in the SAML assertion? Would you be able to send me the SAML response that is being sent by your AD FS to ArcGIS Online after authenticating the user?

The ArcGIS forums have a messaging system built in, can you send a private message with the SAML response? I can take a look at the SAML response and see if we are getting the email address or not. You can use any of the network monitoring tools such as SAML tracer, fiddler, etc to capture the SAML assertions being sent in the HTTP requests.

-Lalitha,
ESRI.

KasperLidén_Kjærbo · ‎08-13-2013

The AD FS was set up to include name and email address.

I've send you the SAML response via private message.

- Kasper

KasperLidén_Kjærbo · ‎08-13-2013

This is bad!

I've moved all my content and groups to another account.

Via another administrator account deleted my account from AGO.

Tried to login via AD FS to AGO to re-create my account on AGO - got an Invalid_Signin error

Via the other administrator account we tried to send a new invite, but without luck - still getting the Can't send invite error message.

Now I'm in a situation where I can't invite new users, and Enterprise users can't login...
Lets say I wanted to remove the Enterprise login, then all existing users and content is deleted from AGO... And I'm not even sure I'm able to login to the Organization afterward because no users are associated with the Organization and there is therefore no users to send invites... Catch 22?!?

- Kasper

KasperLidén_Kjærbo · ‎08-14-2013

Okay, here is an update:

Go to "Edit settings" => Security tab => Edit Identity Provider.

I forgot to set til option "Your users will be able to join:" to "Automatically" instead of "Upon invitation from an administrator".

When this option was changed I was able to logon using AD FS.

An other admin changed my user role to Admin.

This re-creation procedure of the user ensured the correct data was transfered from the AD FS to AGO - including the my email I guess.

Now I'm able to send invites on email!!!

Thanks a lot.

- Kasper