Home  ›  Ad Fs Management an Error Occurred During an Attempt to Read the Federation Metadata

Ad Fs Management an Error Occurred During an Attempt to Read the Federation Metadata

Written By Wednesday 2 March 2022 Add Comment Edit

You can configure Active Directory Federation Services (Advertisement FS) in the Microsoft Windows Server operating system as your identity provider (IDP) for SAML logins in ArcGIS Enterprise. The configuration process involves two main steps: registering your SAML IDP with ArcGIS Enterprise and registering ArcGIS Enterprise with the SAML IDP.

Required information

ArcGIS Enterprise requires certain attribute information to be received from the IDP when a user signs in using SAML logins. The NameID aspect is mandatory and must be sent past your IDP in the SAML response to brand federation work. Since ArcGIS Enterprise uses the value of NameID to uniquely place a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user proper noun NameID will be created by the ArcGIS Enterprise organization in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Enterprise.

ArcGIS Enterprise supports the inflow of a user's email address, group memberships, given name, and surname from the SAML identity provider.

Register AD FS every bit the SAML IDP with your portal

  1. Verify that you lot are signed in as an administrator of your organization.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the left side of the page.
  4. In the Logins section, click the New SAML login button, and select the I identity provider option. On the Specify backdrop page, type your organization'southward name (for example, Urban center of Redlands). When users admission the portal website, this text displays as part of the SAML sign-in option (for instance, Using your City of Redlands account).
  5. Cull Automatically or Upon invitation from an administrator to specify how users can join the organisation. Selecting the start option allows users to sign in to the system with their SAML login without whatsoever intervention from an administrator. Their business relationship is registered with the arrangement automatically the beginning time they sign in. The second pick requires the ambassador to annals the necessary accounts with the organization using a command line utility. Once the accounts have been registered, users can sign in to the organization.
  6. Provide metadata information for the IDP using one of the options below:
    • URL—If the URL of AD FS federation metadata is accessible, select this option and enter the URL (for example, https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml).

      If your SAML IDP includes a cocky-signed certificate, you may encounter an error when attempting to specify the HTTPS URL of the metadata. This mistake occurs considering ArcGIS Enterprise cannot verify the IDP'south cocky-signed document. Alternatively, use HTTP in the URL, ane of the other options below, or configure your IDP with a trusted document.

    • File—Cull this pick if the URL is not accessible. Download or obtain a copy of the federation metadata file from Advert FS and upload the file to the ArcGIS Enterprise portal using the File option.
    • Parameters specified here—Choose this option if the URL or federation metadata file is non accessible. Enter the values manually and supply the requested parameters: the login URL and the document, encoded in the BASE 64 format. Contact your Advert FS administrator to obtain these.
  7. Configure the avant-garde settings as applicative:
    • Encrypt Assertion—Enable this option to encrypt the Ad FS SAML assertion responses.
    • Enable signed request—Enable this option to have ArcGIS Enterprise sign the SAML authentication asking sent to AD FS.
    • Propagate logout to Identity Provider—Enable this option to have ArcGIS Enterprise use a logout URL to sign out the user from AD FS. Enter the URL to utilize in the Logout URL setting. If the IDP requires the logout URL to be signed, Enable signed asking must be turned on.

      By default, AD FS requires logout requests to be signed using SHA-256, so you need to enable the Enable signed request toggle button and selectSign using SHA256.

    • Update profiles on sign in—Enable this option to have ArcGIS Enterprise update users' givenName and e-mail accost attributes if they have changed since they last signed in.
    • Enable SAML based group membership—Enable this option to allow organization members to link specified SAML-based groups to ArcGIS Enterprise groups during the group creation procedure.
    • Logout URL—The IDP URL to utilize to sign out the currently signed-in user.
    • Entity ID—Update this value to use a new entity ID to uniquely identify your portal to Advertising FS.

    The Encrypt Assertion and Enable signed asking settings apply the certificate samlcert in the portal keystore. To apply a new document, delete the samlcert document, create a certificate with the aforementioned allonym (samlcert) following the steps in Import a document into the portal, and restart the portal.

  8. Click Save.

Annals your portal every bit the trusted service provider with Advert FS

  1. Open the AD FS management console.
  2. Choose Relying Party Trusts > Add Relying Party Trust.
  3. In the Add Relying Party Trust Wizard, click the Start button.
  4. For Select Data Source, choose one pick for obtaining data well-nigh the relying party: import from a URL, import from a file, or enter manually.

    URL and file options crave that you lot obtain the metadata from your organization. If you lot don't have access to the metadata URL or file, y'all can enter the information manually. In some cases, entering the information manually may be the easiest option.

    • Import information almost the relying party published online or on a local network

      This choice uses the URL metadata of your ArcGIS Enterprise organization. The URL is https://webadaptorhost.domain.com/webadaptorname/sharing/remainder/portals/self/sp/metadata?token=<token>, for instance, https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When inbound the URL on the Generate Token page, specify the fully qualified domain name of the AD FS server in the Webapp URL field. Selecting any other choice, such equally IP Address or IP Address of this asking'southward origin, is non supported and may generate an invalid token.

      The arcgis portion of the above sample URL is the default name of the Web Adaptor application. If your web adaptor is named something other than arcgis, supervene upon this portion of the URL with the proper name of your web adaptor.

    • Import data about the relying party from a file

      This option uses a metadata.xml file from your ArcGIS Enterprise organization. In that location are ii means you can get a metadata .xml file:

      • On the organization page, click the Settings tab and click Security on the left side of the page. In the Logins sections, under SAML login, click the Download service provider metadata push to download the metadata file for your organization.
      • Open up the URL of the metadata of your ArcGIS Enterprise arrangement and relieve as an .xml file on your computer. The URL is https://webadaptorhost.domain.com/webadaptorname/sharing/residuum/portals/cocky/sp/metadata?token=<token>, for example, https://samltest.domain.com/arcgis/sharing/residuum/portals/cocky/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptorhost.domain.com/webadaptorname/sharing/balance/generateToken. When inbound the URL on the Generate Token folio, specify the fully qualified domain proper name of the AD FS server in the Webapp URL field. Selecting any other choice, such as IP Address or IP Address of this asking'south origin, is non supported and may generate an invalid token.

        The arcgis portion of the above sample URLs is the default proper noun of the Web Adaptor application. If your spider web adaptor is named something other than arcgis, supervene upon this portion of the URL with the proper noun of your web adaptor.

    • Enter data about the relying party manually

      With this option, the Add Relying Party Trust Sorcerer displays additional windows where y'all enter the data manually. These are explained in steps 6 through viii below.

  5. For Specify Brandish Name, enter the display name.

    The display proper noun is used to identify the relying political party in Advert FS. Outside of this, it doesn't accept whatever meaning. Ready this to either ArcGIS or to the proper name of the organization within ArcGIS, for example, ArcGIS—SamlTest.

  6. (Manual information source but) For Cull Profile, choose the Ad FS profile that'south applicable in your environment.
  7. (Manual information source only) For Configure URL, check the Enable support for the SAML ii.0 WebSSO protocol box and enter the URL for the relying party SAML 2.0 SSO service.

    The relying political party URL must be the URL where AD FS sends the SAML response after authenticating the user. This must be an HTTPS URL: https://webadaptorhost.domain.com/webadaptorname/sharing/rest/oauth2/saml/signin.

    The arcgis portion of the above sample URL is the default name of the Spider web Adaptor application. If your web adaptor is named something other than arcgis, replace this portion of the URL with the name of your web adaptor.

  8. (Manual information source only) For Configure Identifiers, enter the URL for the relying political party trust identifier.

    This must be portal.domain.com.arcgis.

  9. For Cull Issuance Authorization Rules, cull Permit all users to admission this relying party.
  10. For Fix to Add Trust, review all the settings for the relying party.

    The metadata URL is only populated if you lot chose to import the data source from a URL.

    Tip:

    If the Monitor relying party pick is enabled, Advertisement FS periodically checks the federating metadata URL and compares it with the electric current state of the relying party trust. However, monitoring fails once the token in the federating metadata URL expires. Failures are recorded in the Advertizement FS effect log. To suppress these messages, it is recommended that you disable monitoring or update the token.

  11. Click Adjacent.
  12. For End, check the box to automatically open the Edit Claim Rules dialog box after you click the Close button.
  13. To set the merits rules, open the Edit Merits Rules wizard and click Add Rule.
  14. For the Select Rule Template step, select the Send LDAP Attributes equally Claims template for the claim dominion y'all want to create. Click Side by side.
  15. For the Configure Claim Rule step, follow the instructions below to edit the claims rules.
    1. For Claim rule name, provide a proper name for the dominion, such as DefaultClaims.
    2. For Attribute shop, select Active Directory.
    3. For Mapping of LDAP attributes to outgoing claim types, select values from the drop-down menus to specify how the LDAP attributes map to the approachable merits types that are issued from the rule.

      Use the post-obit table as a guide:

      LDAP attribute Outgoing merits type

      The LDAP attribute that contains the unique user names (for case, User-Primary-Name or SAM-Account-Name)

      		 Name ID

      Given-Proper noun

      		Given Proper noun

      Surname

      Surname

      E-mail-Addresses

      		E-Mail Address

      Token-Groups - Unqualified Names

      		Group
    Configure Rule - DefaultClaims
    Caution:

    Manually typing values instead of selecting them from the drib-downward menus creates user-defined attributes and could effect in errors. For best results, utilise the driblet-down menus to specify values.

    With this claim, AD FS sends attributes with the names givenname, surname, e-mail, and group membership to ArcGIS Enterprise after authenticating the user. ArcGIS Enterprise so uses the values received in the givenname, surname, and email attributes and populates the first name, last name, and electronic mail accost of the user account. The values in the grouping attribute are used to update the user's group membership.

    If you selected the Enable SAML based group membership option when registering AD FS equally the SAML IDP, membership for each user is obtained from the SAML exclamation response received from the identity provider every time the user successfully signs in. For information on linking SAML groups, see Create groups.

  16. Click Terminate to end configuring the Advertizement FS IDP to include ArcGIS Enterprise every bit a relying political party.

beltonsoolder.blogspot.com

Source: https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-adfs.htm

0 Response to "Ad Fs Management an Error Occurred During an Attempt to Read the Federation Metadata"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel