Skip To Content

Configure OpenAM

You can configure OpenAM 10.1.0 and later versions as your identity provider (IDP) for enterprise logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise IDP with ArcGIS Online and registering ArcGIS Online with the enterprise IDP.

Required information

Since ArcGIS Online uses the value of the NameID attribute to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. ArcGIS Online requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with ArcGIS Online work. Since ArcGIS Online uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

ArcGIS Online supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.

It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization. This is a privilege reserved for the administrator role.

Register OpenAM as the enterprise IDP with ArcGIS Online

  1. Verify that you are signed in as an administrator of your organization and click Organization > Edit Settings > Security.
  2. In the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that appears (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
    Note:

    You can only register one enterprise IDP for your ArcGIS Online organization.

  3. Choose if users will be able to join the organization Automatically or Upon invitation from an administrator. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
  4. Provide metadata information for the IDP using one of the three options below:
    • URL—Choose this option if the URL of OpenAM federation metadata is accessible by ArcGIS Online. The URL is usually http(s)://<host>:<port>/openam/saml2/jsp/exportmetadata.jsp.
    • File—If the URL is not accessible by ArcGIS Online, save the metadata obtained from the URL above as an XML file and upload the file.
    • Parameters—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your OpenAM administrator to obtain these.
  5. Configure the advanced settings as applicable:
    • Encrypt Assertion—Select this option if OpenAM will be configured to encrypt SAML assertion responses.
    • Enable Signed Request—Select this option to have ArcGIS Online sign the SAML authentication request sent to OpenAM.
    • Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to OpenAM.
    • Update profiles on sign in—Select this option to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IDP. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the IDP information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
    • Enable SAML based group membership—Select this option to allow organization members to link specified SAML-based enterprise groups to ArcGIS Online groups during the group creation process.
    Note:

    Currently, Propagate logout to Identity Provider and Logout URL are not supported.

Register ArcGIS Online as the trusted service provider with OpenAM

  1. Configure a hosted IDP in OpenAM.
    1. Sign in to the OpenAM administration console. This is usually available at http://servername:port/<deploy_uri>/console.
    2. On the Common Tasks tab, click Create Hosted Identity Provider.
    3. Create a hosted IDP and add it to a Circle of Trust. You can add it to an existing circle of trust if you already have it or create a new circle of trust.
    4. By default, the hosted IDP works with OpenDJ, the embedded user store that comes with OpenAM. If you want to connect OpenAM to any other user stores such as Active Directory, you need to create a new data source on the Access Control tab of the main OpenAM administration console.
  2. Configure ArcGIS Online as a trusted service provider with OpenAM.
    1. Obtain the metadata file of your ArcGIS Online organization and save it as an XML file.

      To get the metadata file, sign in as an administrator of your organization and open your organization page. Click the Edit Settings button, click the Security tab, and in the Enterprise Logins section, click the Get Service Provider button.

    2. In the OpenAM administration console under Common Tasks, click Register Remote Service Provider.
    3. Select the File option for the metadata and upload the metadata XML file saved in the previous step.
    4. Add this service provider to the same circle of trust to which you added your IDP.
  3. Configure the NameID format and attributes that OpenAM needs to send to ArcGIS Online after authenticating the user.
    1. In the OpenAM administration console, click the Federation tab. The tab contains the circle of trust you previously added and the service and IDP.
    2. Under Entity Providers, click your IDP.
    3. On the Assertion Content tab, under Name ID Format, verify that urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is listed at the top. This is the format of NameID that ArcGIS Online will request in its SAML request to OpenAM.
    4. Under Name ID Value Map, map an attribute from the user's profile, such as mail or upn, that will be returned as NameID to ArcGIS Online after the user is authenticated.

      Example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified =upn

    5. Click the Assertion Processing tab in the IDP. Under Attribute Mapper, configure attributes from the user profile that you want to be sent to ArcGIS Online.

      ArcGIS Online supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.

      It is recommended that you pass in the email address from the enterprise IDP to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

      Click Save to save the NameID format and the attribute content changes.

    6. On the Federation tab of the OpenAM administration console, browse to the ArcGIS Online service provider under Entity Providers.
    7. On the Assertion Content tab, under Encryption, select the Assertion option if you chose the advanced setting Encrypt Assertion when registering OpenAM as the enterprise IDP with ArcGIS Online.
    8. Under Name ID Format, verify that urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is listed at the top. This is the format of NameID that ArcGIS Online will request in its SAML request to OpenAM..
    9. Click the Assertion Processing tab in the IDP. Under Attribute Mapper, configure attributes from the user profile that you want to be sent to ArcGIS Online.
    10. Click Save to save the Name ID Format and the attribute content changes.
  4. Restart the web server where OpenAM is deployed.