Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth

Error Message

When using the Shibboleth IDP, the following error is returned when trying to log in to an ArcGIS Enterprise portal via SAML logins:

Unable to login using Idp. Invalid subject found in SAML response.


The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.

Solution or Workaround

  1. Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"


   p:attributeSourceIds="#{ {'mail'} }" />


with the following:

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"


            p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />
  1. Restart the Shibboleth daemon (Linux) or service (Windows).

Article ID:000026099

  • Portal for ArcGIS

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic