Configuring enterprise logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your enterprise information systems. The advantage of setting up enterprise logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up within their enterprise system. When members sign in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise login manager, also known as your enterprise identity provider (IDP). Upon verification of the user's login, the enterprise IDP informs ArcGIS Online of the verified identity for the member who is logging in. You can configure the organization's sign in page to show only the enterprise login option or both the enterprise login and ArcGIS account options.
ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. SAML is an open standard for securely exchanging authentication and authorization data between an IDP (your organization) and a service provider (SP)—in this case, ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with IDPs that support SAML 2 web single sign-on. Only one SAML IDP can be registered with your ArcGIS Online organization.
SAML login experience
ArcGIS Online supports SP-initiated enterprise logins and IDP-initiated enterprise logins. The login experience is different for each.
With SP-initiated logins, members access their organization website directly and see options to sign in using their enterprise SP account or their ArcGIS account. If the member selects the SP option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise IDP informs ArcGIS Online of the verified identity for the member who is signing in, and the member is redirected back to their organization website.
If the member chooses the ArcGIS account option, the sign in page for the organization website appears. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign in option cannot be disabled.
With IDP logins, members directly access their enterprise's login manager and sign in with their account. When the member submits their account information, the IDP sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using an ArcGIS account directly from the enterprise's login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.
The following tutorials demonstrate how to use SAML-compliant IDPs with ArcGIS Online:
Set up your organization with an enterprise IDP
The process of configuring IDPs with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise IDP to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the person to contact to configure or enable SAML on the enterprise IDP side and get the necessary parameters needed for configuration on the ArcGIS Online side.
- Verify that you are signed in as an administrator of your organization.
- Click Organization at the top of the site and click Edit Settings.
- Click Security on the left side of the page.
- Under Enterprise Logins, click the Set Identity Provider button and enter your organization's name in the window that appears.
You can only register one enterprise IDP for your ArcGIS Online organization.
- Choose how members with enterprise logins will join your ArcGIS Online organization—automatically or through an invitation.
The automatic option allows members to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization.
- If you chose to invite members automatically, do the following:
- Select the default license level and the role that members will be assigned. You can change the level and the role after the member has joined the organization if necessary.
- Set the credit allocation for each invited member to a specified number of credits or to the organization's default limit.
- Optionally click Specify Groups and select the ArcGIS Online groups to which members will be added when they join the ArcGIS Online organization.
- Provide ArcGIS Online with metadata information about your enterprise IDP.
Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the enterprise IDP. There are three possible sources for this information:
- A URL—Enter a URL that returns metadata information about the IDP.
- A File—Upload a file that contains metadata information about the IDP.
- Parameters specified here—Directly enter the metadata information about the IDP by supplying the following parameters:
- Login URL (Redirect)—Enter the IDP's URL (that supports HTTP redirect binding) that ArcGIS Online should use to allow a member to sign in.
- Login URL (POST)—Enter the IDP's URL (that supports HTTP POST binding) that ArcGIS Online should use to allow a member to sign in.
- Certificate—Provide the certificate, encoded in the BASE 64 format, for the enterprise IDP. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the enterprise IDP.
Contact the administrator of the IDP if you need help determining which source of metadata information you need to provide. You can also access steps for obtaining the necessary metadata from the following IDPs: Active Directory Federation Services (AD FS), NetIQ Access Manager, OpenAM, Shibboleth, and SimpleSAMLphp.
- Configure the following advanced settings as applicable:
- Encrypt Assertion—Choose this option to indicate to the SAML IDP that ArcGIS Online supports encrypted SAML assertion responses. When this option is enabled, the IDP will encrypt the assertion section of the SAML responses. Even though all SAML traffic to and from ArcGIS Online is already encrypted by the use of HTTPS, this option adds another layer of encryption.
- Enable Signed Request—Choose this option to have ArcGIS Online sign the SAML authentication request sent to the IDP. Signing the initial login request sent by ArcGIS Online allows the IDP to verify that all login requests originate from a trusted SP.
- Propagate logout to Identity Provider—Choose this option to have ArcGIS Online use a logout URL to sign out the user from the IDP. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, the Enable Signed Request option also needs to be checked. When this option is unavailable, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the IDP. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the enterprise login option will result in an immediate login without needing to provide user credentials to the SAML IDP. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Check this box to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IDP. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the IDP information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
- Enable SAML based group membership—Check this box to allow organization members to link specified SAML-based enterprise groups to ArcGIS Online groups during the group creation process. If you check this box, organization members with the privilege to link to enterprise groups will have the option of creating an ArcGIS Online group whose membership is controlled by an enterprise group managed by an external SAML IDP. Once a group is successfully linked to an external SAML-based group, each user's membership in the group is defined in the SAML assertion response received from the IDP every time the user logs in. To ensure that the ArcGIS Online group is successfully linked to the external enterprise group, the creator of the group must enter the exact name of the external enterprise group returned as the attribute value in the SAML assertion. The following SAML attributes are supported: http://schemas.xmlsoap.org/claims/Group, Group, Groups, Roles, MemberOf, and member-of.
For example, suppose a user logging in is a member of the enterprise groups FullTimeEmployees and GIS Faculty. In the SAML assertion received from the IDP, as shown below, the name of the attribute that contains group information is MemberOf. In this example, to create a new group linked to the enterprise group GIS Faculty, the group creator would need to enter GIS Faculty as the group name.
<saml2p:Response> ... ... <saml2:Assertion> ... ... <saml2:AttributeStatement> ... ... <saml2:Attribute Name="MemberOf"> <saml2:AttributeValue>FullTimeEmployees</saml2:AttributeValue> <saml2:AttributeValue>GIS Faculty</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>
- Logout URL—Enter the IDP URL to use to sign out the currently signed-in user. If this property is specified in the IDP's metadata file, it is automatically set.
- Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to the SAML IDP.
- To complete the configuration process and establish trust with the IDP, download the corresponding metadata file for the SP (in this case, ArcGIS Online) and register it with your enterprise IDP. Download this file using the Get Service Provider button.
Modify the enterprise IDP
You can remove the currently registered IDP using the Remove Identity Provider button. This button is available only when you have set up an IDP. Once you have removed the IDP, you can optionally set up a new one.