Customer administrators who have enabled the advanced SAML options ‘Enable Signed Requests’ and/or ‘Encrypt Assertion’ will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before December 5, 2019.
Customers using these advanced SAML options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account. Note that starting this year, certificates will last for two years so you won’t have to perform this maintenance activity in 2020. The new certificate will expire 9/28/2021.
To obtain the updated metadata file:
- Login to www.arcgis.com with your administrative credentials
- Click on “Organization” then “Settings” then “Security”
- Scroll down to “Enterprise Logins” then click the “Get Service Provider” button. This action will download the metadata needed for your IDP.
- OPTIONAL – You can validate the expiration date of the certificate in this file on a Windows system by opening up the XML file, copying the characters between the ds:X509Certificate tags, pasting the data to an empty file (such as to Notepad), saving the file with a .cer extension, and then double-clicking the file to open it (Windows will then display the certificate details including expiration date).
Esri Support Services has provided a technical article here which describes this issue in detail:
– Esri Software Security & Privacy Team