Status: Closed (View Workflow)
Affects Version/s: 4.8.3.Final, RH-SSO-7.3.0, 6.0.1
Fix Version/s: None
Component/s: Protocol - SAML
Steps to Reproduce:
Configure enterprise login with Keycloak in ArcGIS Portal/Online (described in the attached document); Open ArcGIS Pro Configure licensing option to Named User License Configure the ArcGIS Portal or Online (this problem happens with both) Select enterprise login Enter a valid or invalid credential The ArcGIS Pro will exit after the user clicks in the submit button on the login form without any warning
- Configure enterprise login with Keycloak in ArcGIS Portal/Online (described in the attached document);
- Open ArcGIS Pro
- Configure licensing option to Named User License
- Configure the ArcGIS Portal or Online (this problem happens with both)
- Select enterprise login
- Enter a valid or invalid credential
- The ArcGIS Pro will exit after the user clicks in the submit button on the login form without any warning
Docs QE Status:NEW
ArcGIS Online (and ArcGIS Portal) is a tool developed by Esri that allows users to create web maps to share with others. It allows users from a company to login with their enterprise login using the SAML 2.0 protocol.
Here we use ArcGIS Portal integrated with RH-SSO 7.3.0 to authenticate internal enterprise users. Although it works fine in the web version, in the desktop tools (ArcGIS Pro and ArcGIS Desktop), after the user enters a valid or invalid credential in Keycloak login screen, the tools just give generic messages or just exits (it don't show redirects back to the login screen if the credentials are invalid. Just closes the window). We already reported Esri about this issue and we are waiting they to answer.
We did some research and found that this problem is caused by a query parameter in the Keycloak login page form. The parameter session_code is included in the URL in the action attribute of the login form tag as shown in the following image.
When we remove the session_code query parameter from the URL (we did that by adding a hardcoded URL in the login theme) the ArcGIS Pro don't exit after form submit (it shown an error since we removed the attribute, which is required by the Keycloak). In the end we found that ArcGIS Tools checks the navigated URLs for the code query param (using the same logic of Java's String.contains function, ie, checking if the URL has the code string) and uses it as an authorization code (ArcGIS Online/Portal is an OAuth 2.0 IdP), which the ArcGIS don't recognize.
In the ArcGIS Desktop is shown a generic error in the first try but it don't exits. If the users retries, the authentication works since the credentials are stored in the cookies and SAML Post page is shown instead of the login page. In case of the ArcGIS Pro the application just exits and the user can't retry since the cookies are lost.
So we are creating this issue to discuss with the Keycloak team if is possible to change this query param name or if there is a better way to solve this. I can help if you need assistence with ArcGIS and testing the solution.