Set up enterprise logins

Configuring enterprise logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your enterprise information systems. The advantage of setting up enterprise logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up within their enterprise system. When members sign in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise's login manager, also known as your enterprise identity provider. Upon verification of the user's login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is logging in. You can configure the organization's sign in page to show only the enterprise login option or both the enterprise login and ArcGIS account options.

ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single sign-on.

SAML login experience

ArcGIS Online supports service provider (SP) initiated enterprise logins and identity provider (IDP) initiated enterprise logins. The login experience differs between each.

Service provider initiated logins

With SP initiated logins, members access their organization website directly and see options to sign in using their enterprise service provider account or their ArcGIS account. If the member selects the service provider option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is signing in and the member is redirected back to their organization website.

If the member chooses the ArcGIS account option, the sign in page for the organization website opens. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign in option cannot be disabled.

Identity provider initiated logins

With IDP logins, members directly access their enterprise login manager and sign in with their account. When the member submits their account information, the identity provider sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.

The option to sign in using ArcGIS accounts directly from the enterprise login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.

SAML identity providers

The following tutorials demonstrate how to use SAML-compliant identity providers with ArcGIS Online.

Set up your organization with an enterprise identity provider

The process of configuring identity providers with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise identify provider to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the right person to contact in order to configure or enable SAML on the enterprise identity provider side and get the necessary parameters needed for configuration on the ArcGIS Online side.

  1. Within the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that opens.
  2. Choose how members with enterprise logins will join your ArcGIS Online organization—automatically or through an invitation.

    The automatic option allows members to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization.

  3. If you chose to invite members automatically, select the role that members will be assigned. You can change the role after the member has joined the organization.
  4. Provide ArcGIS Online with metadata information about your enterprise identity provider.

    Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the enterprise identity provider. There are three possible sources for this information:

    • URL—Enter a URL that returns metadata information about the identity provider.
    • File—Upload a file that contains metadata information about the identity provider.
    • Parameters—Directly enter the metadata information about the identity provider by supplying the following parameters:

      Login URL—Enter the URL that ArcGIS Online should use to allow a member to sign in.

      X.509 certificate—Provide the certificate for the enterprise identity provider. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the enterprise identity provider.

  5. To complete the configuration process and establish trust with the identity provider, download the corresponding metadata file for the service provider (in this case, ArcGIS Online) and register it with your enterprise identity provider. Download this file using the Get Service Provider button.

Modify the enterprise identity provider

You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you have set up an identity provider. Once you have removed the identity provider, you can set up a new one, if desired.