Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal (2019)
ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate expired on December 5th, 2019 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions continued to work until December 4th, 2019.
If the ArcGIS Online metadata file (that contains the new signing certificate), was not uploaded into the Identity Provider (IDP) before December 5th, 2019, and the “Enable Signed Request” option is enabled, an error occurs when organization members sign into ArcGIS Online with an Enterprise SAML account. This error is an IDP-specific message displayed in place of the IDP sign-in page.
Solution or Workaround
During this transition, ArcGIS Online as the Service Provider (SP), continued to accept the old certificate to keep services available. The Organization's IDP must update its registration using the available ArcGIS Online SP metadata, which includes both the old and new signing certificates. Now that the transition period has ended, the IDP can be updated again after December 5th, 2019, if removal of the old certificate is desired but is not required.
To enable your IDP to discover the new certificates, available starting October 2, 2019, you must re-register ArcGIS Online as your trusted services provider. The process for this varies by the SAML identity provider used, however tutorials on how to do this can be found by following the links below, within the section titled: “Register ArcGIS Online as the trusted service provider with [IDP name]".
If you have any questions, please contact Esri Technical Support.