You can manage logins for your organization by customizing the sign-in page, updating login types, rotating security certificates, enforcing multifactor authentication, and creating custom sign-in categories for your organization.
Manage login types
When you change a login type, the members changed will be signed out of their accounts. They will receive an email confirming the change.
Note:
It is recommended that administrators generate a member's report before changing login types.
To change how members sign in to your organization, complete the following steps:
- Verify that you are signed in to your organization.
Your account must be a member of the default administrator role.
- Click Security on the Settings tab of your organization page.
- Under Logins, click Change member login.
The Change login type window appears with the Choose login type tab visible.
- Choose Change login type or Keep login type.
Note:
Changing social login type is not supported.
- Click Next.
- Do one of the following:
- If you selected Change login type, select options for Current login type and New login type.
- If you selected Keep login type, select the Current login type value.
- Click Next.
The Select members tab appears.
- Choose a method for selecting member accounts to apply login type changes.
- Click Next.
- Do one of the following:
- If you chose Select members from a CSV file in step 8, upload a comma-separated values file (.csv) containing the appropriate member logins.
Note:
Click Download CSV template to view and use a properly formatted .csv file.
- If you chose Manual selection in step 8, search or filter to find and select the appropriate member logins.
- If you chose Select members from a CSV file in step 8, upload a comma-separated values file (.csv) containing the appropriate member logins.
- Click Next.
The User details tab appears.
- Optionally, if you are changing to SAML or OpenID Connect (OICD) logins, input SAML or OICD IDs and temporary passwords for the selected members.
Temporary passwords will automatically be assigned if you do not input values.
- Click Next.
The Re-authentication required tab appears.
- Click Open a new window to re-authenticate.
A new browser window opens.
- Sign in to ArcGIS Online and authenticate your account.
The Copy authentication key window appears.
- Click Copy and continue.
The browser window closes, and the Re-authenticate tab appears.
- Click Paste.
- Optionally, if you need a new authentication key, click Generate a new key, and follow steps 11-13.
- Click Next.
The Confirm and complete tab appears.
Tip:
You can click Download CSV of changes.
- Review your proposed login changes, and click I acknowledge and understand the impact of this change.
- Click Change logins.
The Change login type percent complete window appears showing the progress of login type changes.
Caution:
Do not close this window or click back on your browser while this process completes.
You are returned to Security on the Settings tab of your organization page. An alert will appear on the screen showing the results of the login changes.
- Click Download CSV of changes.
Caution:
This is the only opportunity to download the results of your changes.
Login changes will automatically sign out members.
The login type for your organization is changed. Members will receive an email confirming the change.
Manage certificates and keys
Organization-specific logins, such as SAML logins, use certificate and key pairs to support signed requests and encrypted assertions. The certificate used to sign SAML requests and encrypt the assertion response is managed in ArcGIS Online. A default certificate and key pair are provided. You can continue using the default, generate a self-signed certificate, or upload an authority signed certificate.
Note:
The functionality to manage certificates and keys is in beta. To use this functionality, you must turn off the Block Esri apps and capabilities while they are in beta toggle button.
Learn more about managing SAML security certificates
Generate a self-signed certificate and key pair
To generate a self-signed certificate and key pair, complete the following steps:
- Verify that you are signed in to the organization.
Your account must be a member of the default administrator role or a custom role assigned the set of privileges to configure the organization's security settings.
- Click Security on the Settings tab of your organization page.
- Click Generate self-signed certificate key pair.
The Generate self-signed certificate key pair window appears.
- Provide a certificate name and description.
- Click Generate.
A certificate unique to your organization is created and is visible in the table under Certificates and keys. This certificate can be configured for use as the ArcGIS Online service provider signing certificate, encryption certificate, or both.
Upload a signed certificate and key pair
To upload a signed certificate and key pair in your ArcGIS Online organization, complete the following steps:
- Verify that you are signed in to the organization.
Your account must be a member of the default administrator role or a custom role assigned the set of privileges to configure the organization's security settings.
- Click Security on the Settings tab of your organization page.
- Click Upload signed certificate and key pair.
The Upload signed certificate and key window appears.
- Provide a certificate name and description.
- Do one of the following:
- Click Certificate data, and provide the private key and public certificate.
- Click File upload, and choose files for the private key and public certificate from your device.
You can only upload the private key and public certificate in Privacy Enhanced Mail (PEM) format.
- Click Upload.
The certificate you provided is visible in the table under Certificates and keys. This certificate can be configured for use as the ArcGIS Online service provider signing certificate, encryption certificate, or both.
Create a custom sign-in category
To create a custom sign-in category for your organization, complete the following steps:
- Verify that you are signed in as a member of the default administrator role or a custom role that has the set of privileges to manage the organization's security settings.
- Click Security on the Settings tab of your organization page.
- Turn on the Allow customization of the sign-in experience for your organization and OAuth 2.0 applications toggle button.
This option is disabled by default.
- Click Create a custom sign-in category.
Note:
You can configure a maximum of 100 custom sign-in categories.
The Create sign-in category pane appears.
- Optionally, in the Choose how to start pane, choose a category other than the Organizational default option. Click the drop-down arrow under Select a sign-in category to start from and choose an option.
The sign-in methods reflect what is authorized under the Logins section for your organization, such as ArcGIS login, Open ID, or Social logins.
- Click Next.
- Provide a title and description in the Title and Description fields, respectively, for your category.
The title you choose will appear as an option under Select account type when a user signs in to the organization.
- Click Next.
- Optionally, use the Login types pane to enable access to login categories and alter the Title value of login categories once they are enabled.
At least one login type must be enabled to create a category.
Tip:
Uncheck the Enable sign-in category check box if you want to set up the category but are not ready for users to sign in with the category. You can enable the category by turning on the toggle button next to the category name in the Custom sign-in section of the Security section in your organizational settings.
- Click Create category.
Note:
Once you create and enable a custom sign-in category, the organizational default will not appear when users sign in to the organization.
The category appears under the Custom sign-in section of the Security section in your organizational settings.
- Optionally, click Preview sign-in page to see what users will see when they sign in. To update the custom sign-in category, click Configure.
Manage multifactor authentication
Administrators can enforce multifactor authentication across their organization to ensure that members with ArcGIS logins are in compliance with security policies when signing in to ArcGIS Online, improving the security of their organization. When multifactor authentication is enforced, members with ArcGIS logins will be required to set up multifactor authentication for their accounts in order to sign in. Members will no longer be able to disable multifactor authentication for their own account, and they must contact their administrator to reset their multifactor authentication settings.
Disabling multifactor authentication enforcement allows members to disable multifactor authentication for their own account and does not disable multifactor authentication for members that have it set up. They will continue to be prompted to sign in using multifactor authentication.
Administrators can also exempt members using ArcGIS logins from being required to set up multifactor authentication in order to sign in. Members on the exemption list can enable and disable multifactor authentication for their own account through their settings page.
Note:
Enforcing multifactor authentication signs out any members with ArcGIS logins who have not yet enabled multifactor authentication, interrupting all ongoing work and processes. Reach out to your members in advance to give them enough time to set up multifactor authentication before enabling multifactor authentication enforcement. To avoid unwanted disruptions, you can temporarily add members to the multifactor authentication exemption list.
To enforce multifactor authentication, complete the following steps:
- Verify that you are signed in as a member of the default administrator role or a custom role that has the set of privileges to manage the organization's security settings.
- At the top of the site, click Organization, and click the Settings tab.
- Under Security, click Enforce MFA.
Tip:
Optionally, click Manage exemption list to add any users that will retain the ability to enable or disable multifactor authentication. If multifactor authentication is not enforced, the exemption list will have no effect. Click Save when finished.
A new window appears.
- Click Enforce.
The MFA enforcement is currently in effect label appears in the security settings under MFA Enforcement.
If you later decide to disable multifactor authentication, repeat the steps above but click Disable MFA enforcement in step 3.