ArcGIS Trust Center

Action Required: ArcGIS Online SAML Customers

Overview

ArcGIS Online Organization administrators that have enabled Signed and/or Encrypted Assertions in alignment with ArcGIS Online Best Practices for SAML Security need to obtain the new ArcGIS Online Service Provider metadata file + certificate and associate it with their SAML Identity Provider (eg. Azure Active Directory Enterprise Applications with Token Encryption) before September 27, 2023 otherwise ArcGIS Online sign ins with Enterprise (SAML) accounts will fail.

See Steps 1-2 below:

Step 1 – Download the updated metadata file from ArcGIS Online:

  1. Login to www.arcgis.com with your administrative credentials
  2. Click on “Organization” then “Settings” then “Security”
  3. Scroll down to “Logins” > “SAML login”, then click the “Download service provider metadata” link (as shown below.) This action will download the metadata file (which contains the updated certificate) which will be uploaded to your SAML Identity Provider.

Step 2 – Upload the metadata file into your SAML IDP:

  1. Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
  2. Upload the updated metadata file downloaded from ArcGIS Online to your SAML Identity Provider. See ArcGIS Online’s SAML IDP guidance for IDP specific instructions on how to register the service provider metadata XML with your IDP.

Administrators who have enabled the Best Practices for SAML Security feature: “Allow Encrypt Assertion” must also complete Steps 3-4 below:

Step 3 – Extract the certificate from the ArcGIS Online metadata file:

  1. Extract and validate the certificate within the metadata.xml file by copying the characters between the <X509Certificate> and </X509Certificate> tags, pasting the data to an empty file and saving it with a .cer extension.

Step 4 – Update the Token Encryption certificate within the Identity Provider:

  1. Within your SAML Identity Provider Enterprise Application configuration, locate the entry for your ArcGIS Online Organization.
  2. Supply the extracted certificate into the “Encryption” capability for the ArcGIS Online application.  Refer to your SAML Identity Provider’s documentation for specific instructions on this workflow.

 

Next Article

Resources for ArcGIS Aviation

Read this article