ERROR
Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth
Error Message
When using the Shibboleth IDP, the following error is returned when trying to log in to an ArcGIS Enterprise portal via SAML logins:
Unable to login using Idp. Invalid subject found in SAML response.
Cause
The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.
Solution or Workaround
- Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:
<!--
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
p:attributeSourceIds="#{ {'mail'} }" />
-->
with the following:
<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />
- Restart the Shibboleth daemon (Linux) or service (Windows).
Article ID: 000026099
Software:
- Portal for ArcGIS
Receive notifications and find solutions for new or common issues
Get summarized answers and video solutions from our new AI chatbot.
Related Information
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Download the Esri Support App