An email address is required for adding an enterprise user. The user <username> does not have an email address set, and cannot be added

Error Message

While adding new members in Portal for ArcGIS using the workflow Organization > Members > Add Members, when choosing the method to  "Add members based on existing Active Directory or LDAP users", the following error message is returned: 

An email address is required for adding an enterprise user. The user EDPSSRMSC does not have an email address set, and cannot be added.

Note:
At ArcGIS version 10.8 and prior, this option is "Add members based on existing enterprise users."

Cause

• The user may not have an email attribute set in the identity provider or enterprise directory, such as Active Directory or LDAP, which is required for ArcGIS Enterprise to associate an email with the user. 
• If using an enterprise authentication source, such as LDAP or Active Directory, the connection settings may not properly synchronize or pull in the email attribute for the user.

Solution or Workaround

1. Verify the user’s email address in the Enterprise Identity Store (LDAP/Active Directory):
   • Active Directory (AD): Ensure the user has an email address field populated in Active Directory (or another enterprise directory).
     • Open Active Directory Users and Computers, locate the user, and verify that the Email field is filled in the General tab.
   • LDAP: Check the LDAP directory settings and ensure the email attribute (for example, "mail", "email") is mapped correctly.
   • If the email field is empty, add a valid email address for the user in the identity provider.

2. Sync users from the identity provider:
   • If you are using an enterprise authentication source (such as Active Directory or LDAP), you may need to sync the users from the identity provider again to ensure the email attribute is populated correctly in Portal for ArcGIS.
     • In Portal for ArcGIS, go to Organization > Members and check if the email address appears after the synchronization.
     • You can manually synchronize users or adjust the sync schedule to ensure all user details, including the email, are up-to-date.

3. Check for proper configuration of enterprise authentication source:
   • Verify that the enterprise authentication source (LDAP/Active Directory) is configured correctly in Portal for ArcGIS.
     • Go to Portal for ArcGIS > Organization > Settings > Enterprise logins.
     • Make sure that the configuration is correct and that the user details are being synchronized properly.
     • If the email attribute is missing during sync, verify that the correct attribute is being pulled from the LDAP/AD server, for example, "mail" for AD.

4. Update the identity store:

 Example usage as follows for reference:

Example

LDAPS (highly recommended)

The following is a sample POST request for the updateIdentityStore operation:

POST /webadaptor/admin/security/config/updateIdentityStore HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

userStoreConfig={
  "type": "LDAP",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "uid=admin,ou=system",
    "userFullnameAttribute": "displayName",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
    "userEmailAttribute": "mail",
    "usernameAttribute": "uid",
    "caseSensitive": "false",
    "userSearchAttribute": "dn",
  }
}&roleStoreConfig={
  "type": "LDAP",
  "properties": {
    "ldapURLForRoles": "ldaps://xxx:10636/ou=roles,ou=ags,dc=example,dc=com",
    "adminUserPassword": "aaa",
    "adminUser": "CN=aaa,ou=users,ou=ags,dc=example,dc=com",
    "memberAttributeInRoles": "uniquemember",
    "ldapURLForUsers": "ldaps://xxx:10636/ou=users,ou=ags,dc=example,dc=com",
    "rolenameAttribute": "cn",
    "usernameAttribute": "cn",
    "failOverLDAPServers": "hostname1:10636,hostname2:10636"
  }
}&f=pjson