Configuring organization-specific logins, such as OpenID Connect logins, allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your organization's internal systems. The advantage of setting up organization-specific logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up with the organization. When members sign in to ArcGIS Online, they provide their organization-specific username and password into your organization's login manager, also known as your organization's identity provider (IDP). Upon verification of the member's credentials, the IDP informs ArcGIS Online of the verified identity for the member who is signing in.
ArcGIS Online supports the OpenID Connect authentication protocol and integrates with IDPs such as Okta and Google that support OpenID Connect.
You can configure the ArcGIS Online sign-in page to show only the OpenID Connect login or show the OpenID Connect login along with any of the following options: ArcGIS login, SAML login (if configured), and social logins (if configured).
Configure OpenID Connect logins
The process of configuring an OpenID Connect IDP with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of the IDP to obtain the parameters needed for configuration. You can also access and contribute to detailed third-party IDP configuration documentation in the ArcGIS/idp GitHub repository.
At this time, you can only configure one OpenID Connect IDP for your ArcGIS Online organization. The ability to configure more than one IDP will be supported in the future.
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- If you plan to allow members to join automatically without sending invitations, configure default settings for new members first. Otherwise, skip this step.
If necessary, you can change these settings for specific members after they have joined the organization.
- Click New member defaults on the side of the page.
- Select the default user type and role for new members.
- Select the add-on licenses to automatically assign members when they join the organization.
- Select the groups to which members will be added when they join the organization.
- If credit budgeting is enabled for the organization, set the credit allocation for each new member to a specified number of credits or no limit.
- Choose whether you want to enable Esri access for new members.
- Click Security on the side of the page.
- In the Logins section, click New OpenID Connect login.
- In the Login button label box, type the text that you want to appear on the button that members use to sign in with their OpenID Connect login.
- Choose how members with OpenID Connect logins will join your organization: automatically or through an invitation.
The Automatically option allows members to join the organization by signing in with their OpenID Connect login. With the Upon invitation from an Admin option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the Automatically option, you can still invite members to join the organization or add them directly using their OpenID Connect ID. For more information, see Invite and add members.
- In the Registered client ID box, provide the client ID from the IDP.
- In the Registered client secret box, provide the client secret from the IDP.
- In the Provider scopes/permissions box, provide the scopes to send along with the request to the authorization endpoint.
ArcGIS Online supports scopes corresponding to the OpenID Connect identifier, email, and user profile attributes. You can use the standard value of openid profile email for scopes if it is supported by your OpenID Connect provider. Refer to your OpenID Connect provider's documentation for the supported scopes.
- In the Provider issuer ID box, provide the identifier for the OpenID Connect provider.
- Fill in the OpenID Connect IDP URLs as follows:
Refer to the well-known configuration document for the IDP—for example, in https:/[IdPdomain]/.well-known/openid-configuration—for assistance with filling in the information below.
- For OAuth 2.0 authorization endpoint URL, provide the URL of the IDP's OAuth 2.0 authorization endpoint.
- For Token endpoint URL, provide the URL of the IDP's token endpoint for obtaining access and ID tokens.
- Optionally, for JSON web key set (JWKS) URL, provide the URL of the IDP's JSON Web Key Set document.
This document contains signing keys that are used to validate the signatures from the provider. This URL is only used if the User profile endpoint URL (recommended) is not configured.
- For User profile endpoint URL (recommended), provide the endpoint for getting identity information about the user.
If you do not specify this URL, the JSON web key set (JWKS) URL is used instead.
- Optionally, for Logout endpoint URL (optional), provide the URL of the authorization server's logout endpoint.
This is used to sign out the member from the IDP when the member signs out from ArcGIS.
- Turn on the Send access token in header toggle button if you want to have the token sent in a header instead of a query string.
- Optionally, turn on the Use PKCE enhanced Authorization Code Flow toggle button.
When this option is turned on, the Proof Key for Code Exchange (PKCE) protocol is used to make the OpenID Connect authorization code flow more secure. Every authorization request creates a unique code verifier, and its transformed value, the code challenge, is sent to the authorization server to obtain the authorization code. The code challenge method used for this transformation is S256, which means that the code challenge is a Base64 URL-encoded, SHA-256 hash of the code verifier.
- Optionally, for ArcGIS username field/claim name, provide the name of the claim from the ID token that will be used to set up the ArcGIS username.
The value you provide must adhere to the ArcGIS username requirements. An ArcGIS username must contain 6 to 128 alphanumeric characters and can include the following special characters: . (dot), _ (underscore), and @ (at sign). Other special characters, nonalphanumeric characters, and spaces are not allowed.
If you specify a value with fewer than six characters, or if the value matches an existing username, numbers are added to the value. If you leave this field blank, the username is created from the prefix of the email if available; otherwise, the ID claim is used to create the username.
- To complete the configuration process, copy the generated Login Redirect URI and Logout Redirect URI (if applicable), and add them to the list of allowed callback URLs for the OpenID Connect IDP.
- When you're finished, click Save.
Modify or remove the OpenID Connect IDP
When you've set up an OpenID Connect IDP, you can update its settings by clicking Configure login next to the currently registered IDP. Update your settings in the Edit OpenID Connect login window.
To remove the currently registered IDP, click Configure login next to the IDP and click Delete login in the Edit OpenID Connect login window.