Issue with Arcgis Portal Integration with CA SAML IDP-SP

Document ID : KB000102963
Last Modified Date : 21/06/2018
Show Technical Document Details
Issue:
We created an IDP--SP(ArcGIS) partnership. Customer is using ArcGIS Portal.

Sent the xml metadata to customer for SP configuration.

customer is reporting following error.
SAML sign-in error: Invalid_SAMLResponse: Unable to login using Idp Unable to validate SAML response
SAML sign-in error: Invalid_Idp: Unable to find IDP for account 0123456789ABCDEF
Environment:
ArcGIS 10.3.1
Cause:
ArcGIS has an issue when SSO Partnership IDP Post Signature Options is set to Sign Both. It cannot determine the correct cert to use if that is set.
Resolution:
ArcGIS 10.3.1 has a bug in it where if the SSO Partnership IDP Post Signature Options is set to Sign Both, it will fail to validate the assertion. We changed it from Signing both to Sign Assertion and the federation started to work.