Configuring enterprise logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your enterprise information systems. The advantage of setting up enterprise logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up within their enterprise system. When members sign in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise's login manager, also known as your enterprise identity provider. Upon verification of the user's login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is logging in. You can configure the organization's sign in page to show only the enterprise login option or both the enterprise login and ArcGIS account options.
ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring enterprise logins. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single sign-on. Only one SAML identity provider can be registered with your ArcGIS Online organization.
SAML login experience
ArcGIS Online supports service provider (SP) initiated enterprise logins and identity provider (IDP) initiated enterprise logins. The login experience differs between each.
Service provider initiated logins
With SP initiated logins, members access their organization website directly and see options to sign in using their enterprise service provider account or their ArcGIS account. If the member selects the service provider option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the member’s login, the enterprise identity provider informs ArcGIS Online of the verified identity for the member who is signing in and the member is redirected back to their organization website.
If the member chooses the ArcGIS account option, the sign in page for the organization website opens. The member can then enter their ArcGIS user name and password to access the website. The ArcGIS account sign in option cannot be disabled.
Identity provider initiated logins
With IDP logins, members directly access their enterprise login manager and sign in with their account. When the member submits their account information, the identity provider sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using ArcGIS accounts directly from the enterprise login manager is not available with IDP logins. To sign in to the organization using ArcGIS accounts, members need to access their organization website directly.
SAML identity providers
The following tutorials demonstrate how to use SAML-compliant identity providers with ArcGIS Online.
Set up your organization with an enterprise identity provider
The process of configuring identity providers with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise identify provider to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the right person to contact in order to configure or enable SAML on the enterprise identity provider side and get the necessary parameters needed for configuration on the ArcGIS Online side.
- Verify that you are signed in as an administrator of your organization.
- Click My Organization at the top of the site and click Edit Settings.
- Click Security on the left side of the page.
- Under Enterprise Logins, click the Set Identity Provider button and enter your organization's name in the window that opens.
You can only register one enterprise identity provider for your ArcGIS Online organization.
- Choose how members with enterprise logins will join your ArcGIS Online organization—automatically or through an invitation.
The automatic option allows members to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization.
- If you chose to invite members automatically, select the default license level and the role that members will be assigned. You can change the level and the role after the member has joined the organization.
- Provide ArcGIS Online with metadata information about your enterprise identity provider.
Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the enterprise identity provider. There are three possible sources for this information:
- A URL—Enter a URL that returns metadata information about the identity provider.
- A File—Upload a file that contains metadata information about the identity provider.
- Parameters specified here—Directly enter the metadata information about the identity provider by supplying the following parameters:
Login URL (Redirect)—Enter the identity provider's URL (that supports HTTP redirect binding) that ArcGIS Online should use to allow a member to sign in.
Login URL (POST)—Enter the identity provider's URL (that supports HTTP POST binding) that ArcGIS Online should use to allow a member to sign in.
Certificate—Provide the certificate for the enterprise identity provider. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the enterprise identity provider.
Contact the administrator of the identity provider if you need help determining which source of metadata information you need to provide. You can also access steps for obtaining the necessary metadata from the following identity providers—Active Directory Federation Services (AD FS), NetIQ Access Manager, OpenAM, Shibboleth, and SimpleSAMLphp.
- Configure the following advanced settings as applicable:
- Encrypt Assertion—Choose this option to indicate to the SAML identity provider that ArcGIS Online supports encrypted SAML assertion responses. When this option is enabled, the identity provider will encrypt the assertion section of the SAML responses. Even though all SAML traffic to and from ArcGIS Online is already encrypted by the use of HTTPS, this option adds another layer of encryption.
- Enable Signed Request—Choose this option to have ArcGIS Online sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by ArcGIS Online allows the identity provider to verify that all login requests originate from a trusted service provider.
- Propagate logout to Identity Provider—Choose this option to have ArcGIS Online use a logout URL to sign out the user from the identity provider. Enter the URL to use in the Logout URL setting. If the identity provider requires the logout URL to be signed, the Enable Signed Request option also needs to be checked. When this option is disabled, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the identity provider. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the enterprise login option will result in an immediate login without needing to provide user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Check this box to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the identity provider. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the identity provider information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
- Logout URL—Enter the identity provider URL to use to sign out the currently signed in user. If this property is specified in the identity provider's metadata file, it is automatically set.
- Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to the SAML identity provider.
- To complete the configuration process and establish trust with the identity provider, download the corresponding metadata file for the service provider (in this case, ArcGIS Online) and register it with your enterprise identity provider. Download this file using the Get Service Provider button.
Modify the enterprise identity provider
You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you have set up an identity provider. Once you have removed the identity provider, you can set up a new one, if desired.