Customer administrators who have enabled the advanced SAML options ‘Enable Signed Requests’ and/or ‘Encrypt Assertion’ will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before September 28, 2021.
Customers using these advanced SAML options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account. The new certificate will expire 9/25/2022.
To obtain the updated metadata file:
- Login to www.arcgis.com with your administrative credentials
- Click on “Organization” then “Settings” then “Security”
- Scroll down to “Enterprise Logins” then click the “Get Service Provider” button. This action will download the metadata needed for your IDP (Identity Provider).
- Upload/Import the downloaded service provider metadata XML into your IDP. See ArcGIS Online’s SAML IDP guidance for IDP specific instructions on how to register the service provider metadata XML with your IDP.
- OPTIONAL – You can validate the expiration date of the certificate in this file on a Windows system by opening up the XML file, copying the characters between the ds:X509Certificate tags, pasting the data to an empty file (such as to Notepad), saving the file with a .cer extension, and then double-clicking the file to open it (Windows will then display the certificate details including expiration date).
Esri Support Services has provided a technical article here which describes this issue in detail:
– Esri Software Security & Privacy Team