ArcGIS Online has a new SAML signing and encryption certificate available, and the previous SAML signing and encryption certificate is due to expire on December 5th, 2019.

Organisations using enterprise logins for ArcGIS Online with a SAML compliant Identity Provider (IDP) will need to re-register ArcGIS Online in your IDP before 5th December.

If the new ArcGIS Online metadata file is not uploaded into the IDP before 5th December 2019, and the “Enable Signed Request” option is enabled, an error will occur when signing into ArcGIS Online with an Enterprise SAML account. This error is an IDP-specific message displayed in place of the IDP sign in page.

SAML enterprise logins that use the old certificate for signed requests or encrypted assertions will continue to work until 4th December 2019.

To enable your IDP to discover the new certificates you must re-register ArcGIS Online as your trusted services provider. The process for this varies by the SAML identity provider used, tutorials on how to do this can be found by following the links below, in the section titled: “Register ArcGIS Online as the trusted service provider with [IDP name]".

• AD FS

• NetIQ

• Okta

• Open AM

• Shibboleth

• Simple SAML

If you do not use a SAML compliant IDP with ArcGIS Online, then no action is required.

More details are available here.