Hi
I'm trying to use KeyCloak as an external OpenID Connect authentication server for our internal ArcGIS Portal. Everything is connection but when I login and get redirected back to ArcGIS Portal I always get this error:
Did not receive 'user profile' parameter from the provider.
It seems that ArcGIS Portal doesn't call the user info endpoint so how do I fix this?
Best regards
Jens Christiansen
So I'm not an expert on SAML2 and I've only worked with ADFS, OKTA and Azure AD. That said the 'Required Information' (Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for Arc...) for a SAML2 exchange between an IDp and ArcGIS Enterprise as a SP is quite light. Only the NameID is really required, which is often in the form of the email address.
Azure AD "just works" as the email is key to everything, but ADFS needs the admin to choose the right properties to send through configuration. It may be that an incorrect property is being sent as the NameID.
That's probably as much as I've got on the subject, but take a look at what's being sent. It sounds like Enteprise is expecting an email and getting something in another form like [domain\user].
Hi Scott
Thanks for you reply and the SAML2 link.
However, I'm trying to use the OpenID Connect login but ArcGIS Portal just calls the authenticate endpoint and I login in the identity server and then is redirected back to ArcGIS Portal, just to get notified that user profile is missing.
The JWT returned in quite simple and I guess ArcGIS Portal should call the user info endpoint of my identity server to retrieve the information but it doesn't!
Best regards
Jens Christiansen
Hi @pocalipse, have you managed to solve this issue? I am having the same issue on ArcGIS Enterprise version 10.9.1 (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server)
Note: "Send access token in the header" is On
Any suggestion?
Unfortunately not!
However, I currently have an open support issue with Esri and I'm hoping they will come back with a solution very soon. If and when they do I will gladly provide you the solution 🙂
Hi @pocalipse, have you received any updates from ESRI with regard to the support ticket you have opened?
This issue is driving me crazy, I have been testing on another environment, and it worked! details as follows.
The other environment is testing one (2 HA portals, but there are no federated servers), I have used the exact same Keycloak configuration for both environments. However, in my production environment, which I have sent about it before (2 HA portals + 2 Federated servers, one hosted server & the other is notebook server) it does not work!
I have been trying to test and eliminate some doubts related to keycloak, trying to understand from where exactly the error stem from.
Keycloak side:
I have tried to connect to Keycloak APIs directly without any intervention from the portal, the results was good and eliminated the possibility of having issues related to request/response of keycloak (production).
I have tried to generate a token as follows:
curl -L -X POST 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=<USERNAME>' \
--data-urlencode 'password=<MY_PASSWORD>' \
--data-urlencode 'scope=openid address web-origins roles email phone profile microprofile-jwt offline_access' \
--data-urlencode 'totp=<OTP_FROM_ANY_MOBILE_AUTHENTICATOR>'
It responded correctly with an access_token
then I used that access_token to call /userinfo API as follows:
curl -L -X GET 'https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer <GENERATED_TOKEN>'
It responded correctly with my user profile
Portal side:
I have traced the OpenID connect traffic there are 3 main requests as following:
First: Portal requests: oidc authorize >> set redirect url to keycloak to request the code
originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../authorize",
redirectURL: {
baseURL: "https://<KEYCLOAK_SERVER>/realms/.../protocol/openid-connect/auth?redire...",
redirect_uri: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin",
client_id: "<CLIENT_ID>",
scope: "openid address web-origins roles email phone profile microprofile-jwt offline_access",
response_type: "code",
state: "xxxxxxxxxxxxx"
Second: Keycloak requests: authenticate with user password or OTP >> set redirect url to portal with code, state & session_state
originator: "https://<KEYCLOAK_SERVER>/realms/.../login-actions/authenticate?session_code=xxxxxxxxxxxxxxxxxxxxxx&execution=xxxxxxxxxxxxxxxx&client_id=<CLIENT_ID>&tab_id=xxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/...",
state: "xxxxxxxxxxxxxxxx",
session_state: "xxxxxxxxxxxxxxxx",
code: "xxxxxxxxxxxxxxxxxxxxxxx"
},
Third: Portal requests: oidc signin with code, state & session_state >> set redirect url to portal account switcher with access_token
originator: "https://<PORTAL>/arcgis/sharing/rest/oauth2/oidc/.../signin?state=xxxxxxxxxxxxxxx&session_state=xxxxxxxxxxxxxxx",
redirectURL: {
baseURL: "https://<PORTAL>/arcgis/home/accountswitcher-callback.html#access_token=XXXXXXXX"
This ☝ is the successful flow captured from the testing environment (2 HA portals). I have traced the production requests as well, and everything is being sent correctly redirect_uri, client_id, code, state, session_state, but Unfortunately the Third request does not return an access_token instead it returns the user profile error Did not receive 'user profile' parameter from the provider error
I don't know what's wrong with the production environment, is it because of the fact of having federated servers!
I believe I will open a support ticket as well!
--
Thanks,
Essam
Was a resolution ever found for this? I'm having the same issue when trying to authenticate with the Azure ArcGIS Portal app.
The authentication goes through but then the portal comes back with the "Did not receive 'user profile' parameter from the provider" error.
Portal version 11.3
For anyone having this same issue, I realized that I copied the URLs from the endpoint tab in Azure, instead of from the metadata URL.
Once I put in the correct URLs, it started working.