Error: Unable to login using Idp Unable to validate SAML response
The following error is returned when trying to access ArcGIS Online with configured enterprise logins:
Error: "Unable to login using Idp. Unable to validate SAML response"
The following are possible causes.
- Configured Shibboleth certificates do not match. This error can be prompted when the authentication signatures for the sender and receiver Shibboleth certificates do not match. A mismatch in certificates can occur when a new Identity Provider (IdP) is configured but is not updated with the appropriate Shibboleth certificate.
- Active Directory Federation Services (AD FS) certificate has changed or is expired. If the certificate is expired, ArcGIS Online is unable to connect to the Security Assertion Markup Language (SAML) on the IdP server to authenticate enterprise logins.
- Uploading the federation metadata file can return this error. This can be caused by a corrupt metadata file or if another application is using the metadata file.
- Loss of trust relationship between ArcGIS Online and the IdP, which must be re-linked.
Solution or Workaround
The following are possible solutions.
- Configure a working Shibboleth certificate. The following ArcGIS Online Help document explains this in detail: Configure Shibboleth.
- Update the X.509 certificate in ArcGIS Online. The following ArcGIS Online Help document explains this in detail: Set up enterprise logins.
Note: An SAML tracer tool is used to display network traffic being passed through, together with SAML request and response messages to troubleshoot Enterprise login issues. The following SAML tracer tools can be used with the following browsers: Google Chrome, SAML Chrome Panel and Mozilla Firefox, SAML tracer.
- Update AD FS with a working federation metadata file. The following ArcGIS Online Help document explains this in detail: Configure Active Directory Federation Services.