Configuring enterprise logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your enterprise information systems. The advantage of setting up enterprise logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up within their enterprise system. When members sign in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise's login manager, also known as your enterprise identity provider. Upon verification of the user's login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is logging in. You can configure the organization's sign in page to show only the enterprise login option or both the enterprise login and ArcGIS account options.
ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single Sign-On.
ArcGIS Online supports service provider (SP) initiated enterprise logins and identity provider (IDP) initiated enterprise logins. The login experience differs between each.
With SP initiated logins, members access their organization website directly and see options to sign in using their enterprise service provider account or their ArcGIS account. If the member selects the service provider option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is signing in and the member is redirected back to their organization website.
If the member chooses the ArcGIS account option, the sign-in page for the organization website opens. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign-in option cannot be disabled.
With IDP logins, members directly access their enterprise login manager and sign in with their account. When the member submits their account information, the identity provider sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using ArcGIS accounts directly from the enterprise login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.
The following tutorials demonstrate how to use SAML-compliant identity providers with ArcGIS Online.
The process of configuring identity providers with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise identify provider to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the right person to contact in order to configure or enable SAML on the enterprise identity provider side and get the necessary parameters needed for configuration on the ArcGIS Online side.
The automatic option allows members to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization.
Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the enterprise identity provider. There are three possible sources for this information:
Login URL—Enter the URL that ArcGIS Online should use to allow a member to sign in.
X.509 certificate—Provide the certificate for the enterprise identity provider. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the enterprise identity provider.
You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you have set up an identity provider. Once you have removed the identity provider, you can set up a new one, if desired.