Skip To Content

Configure Active Directory Federation Services

You can configure Active Directory Federation Services (AD FS) 2.0 roll-up patch 3 and AD FS 3.0 in the Microsoft Windows Server operating system as your identity provider (IDP) for enterprise logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise IDP with ArcGIS Online and registering ArcGIS Online with the enterprise IDP.

Required information

ArcGIS Online requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with ArcGIS Online work. Since ArcGIS Online uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

ArcGIS Online supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.

It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

Register AD FS as the enterprise IDP with ArcGIS Online

  1. Verify that you are signed in as an administrator of your organization.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the left side of the page.
  4. In the Enterprise Logins section, select the One identity provider option, click the Set Enterprise Login button, and enter your organization's name in the window that appears (for example, City of Redlands). When users access the organization website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
    Note:

    Selecting the One identity provider option allows you to register one enterprise IDP for your ArcGIS Online organization. If you want to authenticate users with enterprise logins from multiple IDPs, register a SAML-based federation instead of a single IDP.

  5. Choose if users will be able to join the organization Automatically or Upon invitation from an administrator. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
  6. Provide metadata information for the IDP using one of the options below:
    • URL—If the URL of AD FS federation metadata is accessible, select this option and enter the URL (for example, https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml).
    • File—Choose this option if the URL is not accessible. Download or obtain a copy of the federation metadata file from AD FS and upload the file to ArcGIS Online using the File option.
    • Parameters—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your AD FS administrator to obtain these.
  7. Configure the advanced settings as applicable:
    • Encrypt Assertion—Select this option to encrypt the AD FS SAML assertion responses.
    • Enable Signed Request—Select this option to have ArcGIS Online sign the SAML authentication request sent to AD FS.
    • Propagate logout to Identity Provider—Select this option to have ArcGIS Online use a logout URL to sign out the user from AD FS. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, Enable Signed Request needs to be checked.
      Note:

      By default, AD FS requires logout requests to be signed using SHA-256, so you need to check Enable Signed Request and Sign using SHA256.

    • Update profiles on sign in—Select this option to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IDP. Checking this box allows your organization to verify, when a user signs in with an enterprise login, whether the IDP information has changed since the account was first created and if so, to update the user's ArcGIS Online account profile accordingly.
    • Enable SAML based group membership—Select this option to allow organization members to link specified SAML-based enterprise groups to ArcGIS Online groups during the group creation process.
    • Logout URL—The IDP URL to use to sign out the currently signed in user.
    • Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to AD FS.

Register ArcGIS Online as the trusted service provider with AD FS

  1. Open the AD FS management console.
  2. Choose Relying Party Trusts > Add Relying Party Trust.
    AD FS management console
  3. In the Add Relying Party Trust Wizard, click the Start button.
    Welcome
  4. For Select Data Source, choose one option for obtaining data about the relying party: import from a URL, import from a file, or enter manually. URL and file options require that you obtain the metadata from your organization. If you don't have access to the metadata URL or file, you can enter the information manually. In some cases, entering the data manually may be the easiest option.
    • Import data about the relying party published online or on a local network
      Import data from a URL

      This option uses the URL metadata of your ArcGIS Online organization. The URL is https://<url_key_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY.

      Generate a token using https://www.arcgis.com/sharing/rest/generateToken. You need to generate a token using HTTP POST programmatically with JSON output format. For more information, see ArcGIS REST API.

    • Import data about the relying party from a file
      Import from a file

      This option uses a metadata.xml file from your ArcGIS Online organization. There are two ways you can get a metadata XML file:

      • On the organization page, click the Settings tab and click Security on the left side of the page. Click the Get Service Provider button. This gives the metadata for your organization, which you can save as an XML file on your computer.
      • Open the URL of the metadata of your ArcGIS Online organization and save as an XML file on your computer. The URL is https://<url_key_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://<url_key_for_org>.maps.arcgis.com/sharing/rest/generateToken.
    • Enter data about the relying party manually
      Enter data manually

      With this option, the Add Relying Party Trust Wizard displays additional windows where you enter the data manually. These are explained in steps 6 through 8 below.

  5. For Specify Display Name, enter the display name.
    Example display name for a URL or file data source

    The display name is used to identify the relying party in AD FS. Outside of this, it doesn’t have any meaning. This should be set to either ArcGIS or to the name of the organization within ArcGIS, for example, ArcGIS—SamlTest.

    Tip:

    The above image shows the Specify Display Name window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard, which are explained in steps 6 through 8 below. If you selected URL or file, you can proceed to step 9.

  6. (Manual data source only) For Choose Profile, choose AD FS 2.0 profile (or a later AD FS version if applicable in your environment).
    Choose Profile
  7. (Manual data source only) For Configure URL, check the Enable support for the SAML 2.0 WebSSO protocol box and enter the URL for the relying party SAML 2.0 SSO service.
    Configure URL

    The relying party URL should be the URL where AD FS sends the SAML response after authenticating the user. This should be an HTTPS URL: https://<url_key_for_org>.maps.arcgis.com/sharing/rest/oauth2/saml/signin.

  8. (Manual data source only) For Configure Identifiers, enter the URL for the relying party trust identifier.
    Configure Identifiers

    This should be <url_key_for_org>.maps.arcgis.com.

  9. For Choose Issuance Authorization Rules, choose Permit all users to access this relying party.
    Choose Issuance Authorization Rules
    Tip:

    The above image shows the Choose Issuance Authorization Rules window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.

  10. For Ready to Add Trust, review all the settings for the relying party. The metadata URL is only populated if you chose to import the data source from a URL. The second image below shows the Ready to Add Trust window if you chose to manually enter data source information.
    Example of Ready to Add Trust
    Example of Ready to Add Trust

    Click Next.

    Tip:

    If the Monitor relying party option is enabled, AD FS will periodically check the federating metadata URL and compare it with the current state of the relying party trust. However, monitoring will fail once the token in the federating metadata URL expires. Failures are recorded in the AD FS event log. To suppress these messages, it is recommended that you disable monitoring or update the token.

  11. For Finish, check the box to automatically open the Edit Claim Rules dialog box after you click the Close button.
    Finish
    Tip:

    The above image shows the Finish window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.

  12. To set the claim rules, open the Edit Claim Rules wizard and click Add Rule.
    Edit Claim Rules
  13. From Select Rule Template, select the Send LDAP Attributes as Claims template for the claim rule you want to create and click Next.
    Choose Rule Type
  14. From Configure Claim Rule, provide a name for the rule, for example, DefaultClaims.
    1. For Attribute store, select Active Directory.
    2. For Mapping of LDAP attributes to outgoing claim types, select the LDAP attribute that contains the user names (for example, SAM-Account-Name) for LDAP Attribute and NameID for Outgoing Claim Type.
      Note:

      NameID is the attribute that must be sent by AD FS in the SAML response to make the federation with ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

  15. ArcGIS Online supports inflow of the givenName, email address, and group attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP. If you selected the Enable SAML based group membership option when registering AD FS as the enterprise IDP, membership for each user is obtained from the SAML assertion response received from the identity provider every time the user successfully logs in.

    Follow the instructions below to edit the claims rules.

    Edit Rule - DefaultClaims
    • In the LDAP Attribute column, choose Display Name (or a different attribute from the list in the second row) and map it to Given Name in the Outgoing Claim Type column.
    • In the LDAP Attribute column, choose E-Mail-Addresses and map it to E-Mail Address in the Outgoing Claim Type column.
    • In the LDAP Attribute column, choose Token-Groups - Qualified by Domain Name and map it to Group in the Outgoing Claim Type column.

    With this claim, AD FS sends attributes with the names givenname, email, and group membership to ArcGIS Online after authenticating the user. ArcGIS Online then uses the values received in the givenname and email attributes and populates the full name and the email address of the user account. The values in the group attribute are used to update the user's group membership. For information on linking enterprise groups, see Create groups.

    It is recommended that you pass in the email address from the enterprise IDP to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

  16. Click Finish to finish configuring the AD FS IDP to include ArcGIS Online as a relying party.