Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal (2021)
ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate expires on September 28th, 2021 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions continue to work until September 27th, 2021.
If the ArcGIS Online metadata file (that contains the new signing certificate), was not uploaded into the Identity Provider (IDP) before September 28th, 2021, and the “Enable Signed Request” option is enabled, an error occurs when organization members sign into ArcGIS Online with an Enterprise SAML account. This error is an IDP-specific message displayed in place of the IDP sign-in page.
Solution or Workaround
During this transition, ArcGIS Online as the Service Provider (SP), continued to accept the old certificate to keep services available. The Organization's IDP must update its registration using the available ArcGIS Online SP metadata, which includes both the old and new signing certificates. Now that the transition period has ended, the IDP can be updated again after September 28th, 2021, if removal of the old certificate is desired but is not required.
To enable your IDP to discover the new certificates, available starting August 28, 2021, you must re-register ArcGIS Online as your trusted services provider. The process for this varies by the SAML identity provider used, however tutorials on how to do this can be found by following the links below, within the section titled: “Register ArcGIS Online as the trusted service provider with [IDP name]".
If you have any questions, please contact Esri Technical Support.
Last Published: 9/9/2021
Article ID: 000022078