ArcGIS Online SAML Authentication signing and encryption certificate renewal

Description

ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate is due to expire on November 14th, 2018 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until Nov 13, 2018.

Cause

If the ArcGIS Online metadata file, that contains the new signing certificate, is not uploaded into the Identity Provider (IDP) before November 14, 2018, and the “Enable Signed Request” option is enabled, an error will occur when signing into ArcGIS Online with an Enterprise SAML account. This error is an IDP-specific message displayed in place of the IDP sign in page.

Solution or Workaround

To enable your IDP to discover the new certificates, available starting November 2, 2018, you must re-register ArcGIS Online as your trusted services provider. The process for this varies by the SAML identity provider used, however tutorials on how to do this can be found by following the links below, within the section titled: “Register ArcGIS Online as the trusted service provider with [IDP name]".

• AD FS
• NetIQ
• Okta
• Open AM
• Shibboleth
• Simple SAML

If you have any questions, please contact Esri Technical Support