ERROR

Unable to log in using IDP. Invalid subject found in SAML response for Shibboleth

Last Published: July 22, 2021

Error Message

When using the Shibboleth IDP, the following error is returned when trying to log in to an ArcGIS Enterprise portal via SAML logins:

Unable to login using Idp. Invalid subject found in SAML response.

Cause

The SAML NameID attribute is missing from the <Subject> element of the SAML assertion response.

Solution or Workaround

  1. Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:
<!--

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

   p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

   p:attributeSourceIds="#{ {'mail'} }" />

-->

with the following:

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"

            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

            p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />
  1. Restart the Shibboleth daemon (Linux) or service (Windows).

Article ID:000026099

Software:
  • Portal for ArcGIS

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Related Information

Discover more on this topic