Configuring organization-specific logins, such as OpenID Connect logins, allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your organization's internal systems. The advantage of setting up organization-specific logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up with the organization. When members sign in to ArcGIS Online, they provide their organization-specific username and password into your organization's login manager, also known as your organization's identity provider (IdP). Upon verification of the member's credentials, the IdP informs ArcGIS Online of the verified identity for the member who is signing in.
ArcGIS Online supports the OpenID Connect authentication protocol and integrates with IdPs such as Okta and Google that support OpenID Connect.
You can configure the ArcGIS Online sign-in page to show only the OpenID Connect login or show the OpenID Connect login along with any of the following options: ArcGIS login, SAML login (if configured), and social logins (if configured).
Configure OpenID Connect logins
The process of configuring an OpenID Connect IdP with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of the IdP to obtain the parameters needed for configuration. You can also access and contribute to detailed third-party IdP configuration documentation in the ArcGIS/idp GitHub repository.
Note:
At this time, you can only configure one OpenID Connect IdP for your ArcGIS Online organization. The ability to configure more than one IdP will be supported in the future.
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- If you plan to allow members to join automatically without sending invitations, configure default settings for new members first. Otherwise, skip this step.
If necessary, you can change these settings for specific members after they have joined the organization.
- Click New member defaults on the side of the page.
- Select the default user type and role for new members.
- Select the add-on licenses to automatically assign members when they join the organization.
- Select the groups to which members will be added when they join the organization.
- If credit budgeting is enabled for the organization, set the credit allocation for each new member to a specified number of credits or no limit.
- Choose whether you want to enable Esri access for new members.
A member whose account has Esri access enabled can use My Esri, take training courses, participate in Esri Community, add comments to ArcGIS Blog, and manage email communications from Esri. The member cannot enable or disable their own access to these Esri resources.
- Click Security on the side of the page.
- In the Logins section, click New OpenID Connect login.
- In the Login button label box, type the text that you want to appear on the button that members use to sign in with their OpenID Connect login.
- Choose how members with OpenID Connect logins will join your organization: automatically or through an invitation.
The Automatically option allows members to join the organization by signing in with their OpenID Connect login. With the Upon invitation from an Admin option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the Automatically option, you can still invite members to join the organization or add them directly using their OpenID Connect ID. For more information, see Invite and add members.
- In the Registered client ID box, provide the client ID from the IdP.
- For Authentication method, specify one of the following:
- Client secret—Provide the registered client secret from the IdP.
- Public key / Private key—Choose this option to generate a public key or a public key URL for authentication.
Note:
Generating a new public/private key pair invalidates any existing public/private keys. If your IdP configuration uses a saved public key instead of the public key URL, generating a new key pair will require you to update the public key in your IdP configuration to prevent sign-in disruptions.
- In the Provider scopes/permissions box, provide the scopes to send along with the request to the authorization endpoint.
Note:
ArcGIS Online supports scopes corresponding to the OpenID Connect identifier, email, and user profile attributes. You can use the standard value of openid profile email for scopes if it is supported by your OpenID Connect provider. Refer to your OpenID Connect provider's documentation for the supported scopes.
- In the Provider issuer ID box, provide the identifier for the OpenID Connect provider.
- Fill in the OpenID Connect IdP URLs as follows:
Tip:
Refer to the well-known configuration document for the IdP—for example, in https:/[IdPdomain]/.well-known/openid-configuration—for assistance with filling in the information below.
- For OAuth 2.0 authorization endpoint URL, provide the URL of the IdP's OAuth 2.0 authorization endpoint.
- For Token endpoint URL, provide the URL of the IdP's token endpoint for obtaining access and ID tokens.
- Optionally, for JSON web key set (JWKS) URL, provide the URL of the IdP's JSON Web Key Set document.
This document contains signing keys that are used to validate the signatures from the provider. This URL is only used if User profile endpoint URL (recommended) is not configured.
- For User profile endpoint URL (recommended), provide the endpoint for getting identity information about the user.
If you do not specify this URL, the JSON web key set (JWKS) URL option is used instead.
- Optionally, for Logout endpoint URL (optional), provide the URL of the authorization server's logout endpoint.
This is used to sign out the member from the IdP when the member signs out from ArcGIS.
- Turn on the Send access token in header toggle button if you want to have the token sent in a header instead of a query string.
- Optionally, turn on the Use PKCE enhanced Authorization Code Flow toggle button.
When this option is turned on, the Proof Key for Code Exchange (PKCE) protocol is used to make the OpenID Connect authorization code flow more secure. Every authorization request creates a unique code verifier, and its transformed value, the code challenge, is sent to the authorization server to obtain the authorization code. The code challenge method used for this transformation is S256, which means that the code challenge is a Base64 URL-encoded, SHA-256 hash of the code verifier.
- Optionally, turn on the Enable OpenID Connect login based group membership button to allow members to link specified OpenID Connect-based groups to ArcGIS Online groups during the group creation process.
When you enable this option, organization members with the privilege to link to OpenID Connect groups have the option of creating an ArcGIS Online group whose membership is controlled by an externally managed OpenID Connect identity provider. Once a group is successfully linked to an external OpenID Connect-based group, each user's membership in the group is defined in the OpenID Connect groups claim response received from the identity provider every time the user signs in.
To ensure that the ArcGIS Online group is successfully linked to the external OpenID Connect group, the creator of the group must provide the exact value of the external OpenID Connect group as it is returned in the attribute value of the OpenID Connect groups claim. View the groups claim response from your OpenID Connect identity provider to determine the value used to reference the group.
If you turn on the Enable OpenID Connect login based group membership button, make sure to add the groups scope in the Provider scopes/permissions box. Refer to your OpenID Connect provider's documentation for the supported scopes.
- Optionally, for ArcGIS username claim, provide the name of the claim from the ID token that will be used to set up the ArcGIS username.
The value you provide must adhere to the ArcGIS username requirements. An ArcGIS username must contain 6 to 128 alphanumeric characters and can include the following special characters: . (dot), _ (underscore), and @ (at sign). Other special characters, nonalphanumeric characters, and spaces are not allowed.
If you specify a value with fewer than six characters, or if the value matches an existing username, numbers are added to the value. If you leave this field blank, the username is created from the prefix of the email if available; otherwise, the ID claim is used to create the username.
- If you are using an OpenID Connect login, keep the default subject identifier (sub) attribute sent in the ID token from the OpenID Connect provider as the user identifier. If you need to use a custom claim for the user identifier, provide the name of the claim from the ID token that will be used to set up the user identifier.
Note:
The user identifier claim should be configured only once during the initial setup of the OpenID Connect login. If you change the user identifier after setting up the OpenID Connect login, either from default to a custom value or from one custom value to another, user accounts created before the change will no longer work.
- When you're finished, click Save.
- Click the Configure login link next to OpenID Connect login.
- To complete the configuration process, copy the generated Login Redirect URI and Logout Redirect URI (if applicable), and add them to the list of allowed callback URLs for the OpenID Connect IdP. If applicable, copy the public key or public key URL for the OpenID Connect IdP.
Modify or remove the OpenID Connect IdP
When you've set up an OpenID Connect IdP, you can update its settings by clicking Configure login next to the currently registered IdP. Update your settings in the Edit OpenID Connect login window.
To remove the currently registered IdP, click Configure login next to the IdP and click Delete login in the Edit OpenID Connect login window.
Note:
An OpenID Connect login cannot be deleted until all members from the provider are removed.