This article addresses the error message that occurs during SSO for the ArcGIS application, stating that logins are by invitation only and advising the user to contact the administrator of the website. The error message also contains the usernames, and the issue is related to the format of the usernames sent by Okta and expected by the ArcGIS application.
Error message from ArcGIS:
Unable to sign in, logins are by invitation only. Please contact the administrator of this website to access this site. IdpUsername: 'first_last' Username"'first_last_last' Unable to sign in. Try again.
- ArcGIS OIN
- Okta SAML integration
- Secure Assertion Markup Language (SAML)
- Single Sign-On (SSO)
NameID_, which is set in the custom format of the application in Okta.However, according to the ArcGIS documentation, when a user from the identity provider (IDP) signs in, a new user with the username
NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. As a result, an additional piece of information is added to the NameID_ format, and this causes the error during SSO.ESRI, the maker of the ArcGIS application, has confirmed that there is no way to match up the usernames. Therefore, to resolve the issue, it is necessary to update the Okta mapped value for NameID to another username format and add the users. Then, the users should migrate their content to their new user accounts and delete their built-in user accounts.
