Action Required: ArcGIS Online SAML Customers

Overview

ArcGIS Online Organization administrators who have enabled Best Practices for SAML Security features “Enable signed request” and/or “Allow Encrypt Assertion” will need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their Identity Provider.

IMPORTANT: The new ArcGIS Online Service Provider metadata file + certificate will be available on August 29, 2023.

Customers using these advanced SAML options who do not upload the updated ArcGIS Online metadata file containing the new certificate to their SAML Identity Provider (eg. Azure Active Directory Enterprise Applications with Token Encryptionbefore it expires on September 27, 2023, will receive an IDP specific error and be unable to sign into ArcGIS Online with an Enterprise (SAML) account.

Step 1 – Download the updated metadata file from ArcGIS Online:

  1. Login to www.arcgis.com with your administrative credentials
  2. Click on “Organization” then “Settings” then “Security”
  3. Scroll down to “Logins” > “SAML login”, then click the “Download service provider metadata” link (as shown below.) This action will download the metadata file (which contains the updated certificate) which will be uploaded to your SAML Identity Provider.

Step 2 – Upload the metadata file into your SAML IDP:

  1. Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
  2. Upload the updated metadata file downloaded from ArcGIS Online to your SAML Identity Provider. See ArcGIS Online’s SAML IDP guidance for IDP-specific instructions on how to register the service provider metadata XML with your IDP.

*Step 3 – Extract the certificate from the ArcGIS Online metadata file:

  1. Extract and validate the certificate within the metadata.xml file by copying the characters between the <X509Certificate> and </X509Certificate> tags, pasting the data to an empty file and saving it with a .cer extension.

*Step 4 – Update the Token Encryption certificate within the Identity Provider:

  1. Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
  2. Supply the extracted certificate into the “Encryption” capability for the ArcGIS Online application.  Refer to your SAML Identity Provider’s documentation for specific instructions on this workflow.

*OPTIONAL – Steps 3 & 4 are optional steps that are only required for ArcGIS Online organizations that have enabled the “Allow Encrypted Assertion” within their SAML Login configuration.