ArcGIS Online

Action Required: ArcGIS Online SAML Customers

ArcGIS Online Organization administrators who have enabled the advanced SAML options ‘Enable Signed Requests’ and/or ‘Encrypt Assertion’ will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before September 25, 2022.

Customers using these advanced SAML options who do not upload the updated ArcGIS Online metadata file containing the new certificate to their identity provider (eg. Azure Active Directory Enterprise Applications with Token Encryption) before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account.  The new ArcGIS Online SAML certificate will expire 9/27/2023.

To obtain the updated metadata file:

  1. Login to with your administrative credentials
  2. Click on “Organization” then “Settings” then “Security”
  3. Scroll down to “Enterprise Logins” then click the “Get Service Provider” button. This action will download the metadata needed for your IDP (Identity Provider).
  4. Upload/Import the downloaded service provider metadata XML into your IDP.  See ArcGIS Online’s SAML IDP guidance for IDP specific instructions on how to register the service provider metadata XML with your IDP.
  5. OPTIONAL – You can extract and validate the certificate in this XML file by copying the characters between the <ds:X509Certificate> and </ds:X509Certificate> tags, pasting the data to an empty file and saving it with a .cer extension.

Esri Support Services has provided a technical article here which describes this issue in detail:

ArcGIS Online SAML Authentication signing and encryption certificate renewal


– Esri Software Security & Privacy Team

Next Article

Tighten Up Your Edits with Editing Constraints in ArcGIS Online

Read this article