PROBLEM

SAML single sign-on in ArcGIS Online or the Enterprise portal fails with an error

Last Published: October 2, 2025

Description

When using the Security Assertion Markup Language (SAML) single sign-on in ArcGIS Online or the ArcGIS Enterprise portal, the following error is returned:

Error:
Unable to login using Idp. Error validating encrypted Assertion. Unwrapping failed.

Cause

This error occurs when the Encrypted Assertion setting is disabled in ArcGIS Online or the Enterprise portal, and the token encryption certificates are enabled in Microsoft Entra ID.

Solution or Workaround 

Note: 
ESRI recommends keeping the Encrypted Assertion setting enabled in ArcGIS Online or ArcGIS Enterprise to maintain a stronger cybersecurity posture.
  1. Turn on the Encrypted Assertion setting in ArcGIS Online or the Enterprise portal.
    1. Log in to ArcGIS Online or the Enterprise portal.
    2. Navigate to Organization > Settings > Security > Logins > Configure Logins.
    3. Click Show Advanced Settings.
    4. Enable the Allow Encrypted Assertion setting.
  2. Deactivate the token encryption certificates in Microsoft Entra ID.
    1. Log in to the Microsoft Azure Portal.
    2. Open Microsoft Entra ID.
    3. Navigate to Enterprise Applications.
    4. Open the relevant ArcGIS Online or ArcGIS Enterprise application.
    5. Click Security.
    6. Navigate to Token Encryption.
    7. Deactivate and delete the relevant certificates.

Article ID: 000033809

Software:
  • ArcGIS Online
  • Portal for ArcGIS
  • ArcGIS Enterprise

Get support with AI

Resolve your issue quickly with the Esri Support AI Chatbot.

Start chatting now

Related Information

Discover more on this topic

Esri Community

Search for related information

Training

Find training related to this topic

ArcGIS Ideas

Explore ideas and give feedback

Get help from ArcGIS experts

Contact technical support

Start chatting now

Go to download options