Configuring enterprise logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your enterprise information systems. The advantage of setting up enterprise logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up within their enterprise system. When members sign in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise login manager, also known as your enterprise identity provider (IDP). Upon verification of the user's login, the enterprise IDP informs ArcGIS Online of the verified identity for the member who is logging in. You can configure the organization's sign in page to show only the enterprise login option or both the enterprise login and ArcGIS account options.
ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. SAML is an open standard for securely exchanging authentication and authorization data between an IDP (your organization) and a service provider (SP)—in this case, ArcGIS Online. ArcGIS Online is compliant with SAML 2.0 and integrates with IDPs that support SAML 2 web single sign-on.
In most situations, organizations set up their SAML-based enterprise logins using a single IDP. This IDP authenticates users accessing secured resources that are hosted across multiple service providers. The IDP and all service providers are managed by the same organization.
Another way to authenticate users with enterprise logins is by configuring your organization to use a SAML-based federation of IDPs. In a SAML-based federation between multiple organizations, each member organization continues to use their own IDP but configures one or more of their SPs to work exclusively within the federation. To access a secured resource shared within the federation, a user authenticates their identity with their home organization's IDP. Once successfully authenticated, this validated identity is presented to the SP hosting the secured resource. The SP then grants access to the resource after verifying the user's access privileges.
SAML login experience
ArcGIS Online supports SP-initiated enterprise logins and IDP-initiated enterprise logins. The login experience is different for each.
With SP-initiated logins, members access their organization website directly and see options to sign in using their enterprise SP account or their ArcGIS account. If the member selects the SP option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise IDP informs ArcGIS Online of the verified identity of the member who is signing in, and the member is redirected back to their organization website.
If the member chooses the ArcGIS account option, the sign in page for the organization website appears. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign in option cannot be disabled.
With IDP-initiated logins, members directly access their enterprise's login manager and sign in with their account. When the member submits their account information, the IDP sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using an ArcGIS account directly from the enterprise's login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.
The following tutorials demonstrate how to use SAML-compliant IDPs with ArcGIS Online:
Configure enterprise logins
The process of configuring IDPs with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise IDP or federation of IDPs to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the person to contact to configure or enable SAML on the enterprise IDP side and obtain the necessary parameters for configuration on the ArcGIS Online side.
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the left side of the page.
- Under Enterprise Logins, select one of the following:
- One identity provider—Allows users to sign in using their existing enterprise credentials managed by your organization. This is the most common configuration.
- A federation of identity providers—Allows users belonging to an existing interorganizational federation, such as the SWITCHaai federation, to sign in with credentials supported by the federation.
- Click the Set Enterprise Login button.
- In the window that appears, do one of the following:
- If you selected One identity provider, enter your organization's name.
- If you selected A federation of identity providers, enter the name of your federation.
- Choose how members with enterprise logins will join your ArcGIS Online organization—automatically or through an invitation.
The automatic option allows members to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization.
- If you chose to invite members automatically, do the following:
- Select the default user type and the role that members will be assigned. You can change the user type and the role after the member has joined the organization, if necessary.
- Set the credit allocation for each invited member to a specified number of credits or to the organization's default limit.
- Choose whether you want to enable or disable Esri access by default for members who join the organization automatically using their enterprise logins.
- Optionally click Specify Groups and select the ArcGIS Online groups to which members will be added when they join the ArcGIS Online organization.
- If you selected One identity provider, provide ArcGIS Online with metadata information about your enterprise IDP.
Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the enterprise IDP. There are three possible sources for this information:
- A URL—Enter a URL that returns metadata information about the IDP.
- A File—Upload a file that contains metadata information about the IDP.
- Parameters specified here—Directly enter the metadata information about the IDP by supplying the following parameters:
- Login URL (Redirect)—Enter the IDP's URL (that supports HTTP redirect binding) that ArcGIS Online should use to allow a member to sign in.
- Login URL (POST)—Enter the IDP's URL (that supports HTTP POST binding) that ArcGIS Online should use to allow a member to sign in.
- Certificate—Provide the certificate, encoded in the BASE 64 format, for the enterprise IDP. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the enterprise IDP.
Contact the administrator of the IDP if you need help determining which source of metadata information you need to provide. You can also access steps for obtaining the necessary metadata from the following IDPs: Active Directory Federation Services (AD FS), G Suite, NetIQ Access Manager, Okta, OpenAM, Shibboleth, and SimpleSAMLphp.
- If you selected A federation of identity providers, do the following:
- Enter the URL to the centralized IDP discovery service hosted by the federation—for example, https://wayf.samplefederation.com/WAYF.
- Enter the URL to the federation metadata, which is an aggregation of the metadata of all IDPs and SPs participating in the federation.
- Copy and paste the certificate, encoded in Base64 format, that allows the organization to verify the validity of the federation metadata.
- Click Show advanced settings to configure the following advanced settings as applicable:
- Encrypt Assertion—Select this option to indicate to the SAML IDP that ArcGIS Online supports encrypted SAML assertion responses. When this option is selected, the IDP encrypts the assertion section of the SAML response. All SAML traffic to and from ArcGIS Online is already encrypted by the use of HTTPS, but this option adds another layer of encryption.
- Enable Signed Request—Select this option to have ArcGIS Online sign the SAML authentication request sent to the IDP. Signing the initial login request sent by ArcGIS Online allows the IDP to verify that all login requests originate from a trusted SP.
- Propagate logout to Identity Provider—Select this option to have ArcGIS Online use a logout URL to sign out the user from the IDP. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, the Enable Signed Request option also needs to be checked. When this option is unavailable, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the IDP. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the enterprise login option will result in an immediate login without needing to provide user credentials to the SAML IDP. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Check this box to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IDP. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the IDP information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
- Enable SAML based group membership—Check this box to allow organization members to link specified SAML-based enterprise groups to ArcGIS Online groups during the group creation process. If you check this box, organization members with the privilege to link to enterprise groups will have the option of creating an ArcGIS Online group whose membership is controlled by an enterprise group managed by an external SAML IDP. Once a group is successfully linked to an external SAML-based group, each user's membership in the group is defined in the SAML assertion response received from the IDP every time the user logs in. To ensure that the ArcGIS Online group is successfully linked to the external enterprise group, the creator of the group must enter the exact name of the external enterprise group returned as the attribute value in the SAML assertion. The supported (case-insensitive) names for the attribute defining a user's group membership are: Group, Groups, Roles, MemberOf, member-of, http://schemas.xmlsoap.org/claims/Group, urn:oid:184.108.40.206.4.1.59220.127.116.11.1, and urn:oid:2.16.840.1.113718.104.22.168.1.25.
For example, suppose a user logging in is a member of the enterprise groups FullTimeEmployees and GIS Faculty. In the SAML assertion received from the IDP, as shown below, the name of the attribute that contains group information is MemberOf. In this example, to create a new group linked to the enterprise group GIS Faculty, the group creator would need to enter GIS Faculty as the group name.
<saml2p:Response> ... ... <saml2:Assertion> ... ... <saml2:AttributeStatement> ... ... <saml2:Attribute Name="MemberOf"> <saml2:AttributeValue>FullTimeEmployees</saml2:AttributeValue> <saml2:AttributeValue>GIS Faculty</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>
- Logout URL—If you chose One identity provider in a previous step, enter the IDP URL to use to sign out the currently signed-in user. If this property is specified in the IDP's metadata file, it is automatically set.
- Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to the SAML IDP or SAML federation.
- When finished, click Set Identity Provider.
- To complete the configuration process and establish trust with your organizational IDP (and the federation's discovery service if applicable), download the corresponding metadata file for the SP (in this case, ArcGIS Online) and register it with your enterprise IDP as follows:
- Click the Get Service Provider button to download the metadata file.
- Open the URL of the metadata file and save as an XML file on your computer. The URL is https://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=<token>—for example, https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL in the Generate Token page, specify the fully qualified domain name of the IDP server in the Webapp URL field. Choosing any other option such as IP Address or IP Address of this request's origin is not supported and may generate an invalid token.
Modify or remove the enterprise IDP
You can update the settings for your enterprise IDP using the Edit Enterprise Login button, or remove the currently registered IDP using the Remove Enterprise Login button. These buttons appear when you've set up an IDP. Once you've removed an IDP, you can optionally set up a new IDP or federation of IDPs.