ERROR
Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth
Error Message
When using the Shibboleth IDP, the following error is returned when trying to log in to an ArcGIS Enterprise portal via SAML logins:
Unable to login using Idp. Invalid subject found in SAML response.
Cause
The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.
Solution or Workaround
- Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:
<!--
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
with the following:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />
- Restart the Shibboleth daemon (Linux) or service (Windows).
Article ID: 000026099
Software:
- Portal for ArcGIS
Get support with AI
Resolve your issue quickly with the Esri Support AI Chatbot.
Related Information
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Start chatting now