Community

ArcGIS Online has renewed its signing and encryption certificates

985
7
11-02-2018 11:16 AM
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
1 7 985
‎11-02-2018 11:16 AM

On November 2, 2018, ArcGIS Online's signing and encryption certificates have been updated. 

ArcGIS Online has a new SAML signing and encryption certificate available. This certificate is necessary when an organization has enabled signed requests or encrypted assertions. The previous SAML signing and encryption certificate is due to expire on November 14th, 2018 and it is necessary to take action to ensure that your organization can continue to use your Enterprise Identity Provider (IDP). SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until Nov 13, 2018.

Action: Users who have enabled the advanced options 'Enable Signed Requests' and/or 'Encrypt Assertion' will need to obtain the new ArcGIS Online Service Provider metadata file and associate it with their Identity Provider before November 14, 2018.

Customers using these advanced options who do not upload the updated ArcGIS Online metadata file containing the new certificate before this date will receive an IDP specific error when they attempt to sign into ArcGIS Online with an Enterprise account.

To obtain the updated metadata file:

a. Login to www.arcgis.com with your administrative credentials
b. Click on "Organization" then "Settings" then "Security"
c. Scroll down to "Enterprise Logins" then click the "Get Service Provider" button.

   - This action will download the metadata needed for your IDP.


An email containing the following text has already been sent to ArcGIS Online Organization Administrators:

"ArcGIS Online will be updating its SAML signing and encryption certificates on November 13th, and we need you to take action to ensure your organization can continue to use your Enterprise Identity Provider (IDP).

This certificate is necessary when an Organization has enabled signed requests or encrypted assertions.

To enable your IDP to discover our new certificates, you will need to re-register ArcGIS Online as your trusted services provider.

The process for this varies by the SAML identity provider used, but tutorials on how to do this can be found in our documentation within the section titled 'Register ArcGIS Online as the trusted service provider'.

Esri has documented this process for these popular Identity Providers:

ADFS
NetIQ
Okta
OpenAM
Shibboleth
SimpleSAML


If you have any questions, please contact technical support."

Esri Support Services has released a KB article describing this issue. See:

Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal 

7 Comments
JoeFlannery
by
Occasional Contributor III
‎11-02-2018 12:25 PM

Randall:

 

You state in your article: “…but tutorials on how to do this can be found in our documentation within the section titled 'Register ArcGIS Online as the trusted service provider'.”  Yet, when I visit the linked website, there is no section titled 'Register ArcGIS Online as the trusted service provider.’

 

Also, to be clear, if I download a service provider metadata file today, it is the updated file metadata file?  If yes, when do I install it on my end?  Now or wait until November 13th?  I would like to be clear on the timing of when to implement this new metadata file.

Thank you,

Joe

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎11-02-2018 01:42 PM

Hi Joe, 

Sorry for the confusion, and thanks for providing the first comment for this new space!

Documentation for many popular identity providers is linked to in the help doc referenced above. Additionally, Esri Support Services just released this KB that speaks to this issue:

Problem: ArcGIS Online SAML Authentication signing and encryption certificate renewal 

In terms of timing, the new certificate has already been added to the ArcGIS Online metadata file. Users just need to download the metadata file from ArcGIS Online and upload it into their IDP before November 14th.

--Randall

0 Kudos
JoeFlannery
by
Occasional Contributor III
‎11-02-2018 02:15 PM

Randall - Thank you for the clarification.  And, this is going to be a great blog-space for us Admins!

Have a nice weekend,

Joe

0 Kudos
BillFox
by MVP Frequent Contributor
MVP Frequent Contributor
‎11-06-2018 01:57 PM

Randall,

I do not remember receiving any e-mail from esri about this as mentioned in the blog post.

"An email containing the following text has already been sent to ArcGIS Online Organization Administrators:"

Has anyone else received a notice?

Thank you,

-Bill

0 Kudos
BillFox
by MVP Frequent Contributor
MVP Frequent Contributor
‎11-07-2018 02:35 PM

Thank you, Katie Cullen

Did you receive an e-mail from esri about a new SAML signing and encryption certificate? 

0 Kudos
JoePlattner
by
New Contributor III
‎11-15-2018 10:17 AM

Anyone else have to generate a new token because of this?

0 Kudos
RandallWilliams
by Esri Regular Contributor
Esri Regular Contributor
‎11-15-2018 10:24 AM

Hi Joe,

Can you elaborate? I know some users who leverage SAML that had enabled the option to encrypt signed assertions needed to update the metadata file provided by ArcGIS Online, but I haven't heard of issues related to tokens per-se.

0 Kudos