Configuring organization-specific logins, such as SAML logins (previously known as enterprise logins), allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your organization's internal systems. The advantage of setting up organization-specific logins using this approach is that members do not need to create additional logins within the ArcGIS Online system; instead, they can use the login that is already set up with the organization. When members sign in to ArcGIS Online, they provide their organization-specific username and password directly into your organization's login manager, also known as your organization's identity provider (IdP). Upon verification of the member's credentials, the IdP informs ArcGIS Online of the verified identity for the member who is signing in.
ArcGIS Online supports SAML 2.0 for configuring SAML logins. SAML is an open standard for securely exchanging authentication and authorization data between an IdP (your organization) and a service provider (SP). In this case, ArcGIS Online is compliant with the SAML 2.0 protocol and integrates with IdPs that support SAML 2.0, such as Active Directory Federation Services (AD FS), Google Workspace, and Okta.
You can configure the ArcGIS Online sign-in page to show only the SAML login, or show the SAML login along with any of the following options: ArcGIS login, OpenID Connect login (if configured), and social logins (if configured).
To ensure that your SAML logins are configured securely, review the best practices for SAML security.
In most situations, organizations set up their SAML logins using a single IdP. This IdP authenticates users accessing secured resources that are hosted across multiple service providers. The IdP and all service providers are managed by the same organization.
Note:
When a new version of the ArcGIS Online SAML signing and encryption certificate is available, administrators must update to the new certificate.
Another way to authenticate users with SAML logins is by configuring your organization to use a SAML-based federation of IdPs. In a SAML-based federation between multiple organizations, each member organization continues to use their own IdP but configures one or more of their SPs to work exclusively within the federation. To access a secured resource shared within the federation, a user authenticates their identity with their home organization's IdP. Once successfully authenticated, this validated identity is presented to the SP hosting the secured resource. The SP then grants access to the resource after verifying the user's access privileges.
SAML sign in experience
ArcGIS Online supports SP-initiated SAML logins and IdP-initiated SAML logins. The sign in experience is different for each.
SP-initiated logins
With SP-initiated logins, members access their ArcGIS Online website directly and see options to sign in using their SAML SP login or their ArcGIS login. If the member selects the SP option, they are redirected to a web page (known as the login manager) where they are prompted to provide their SAML username and password. Upon verification of the member’s credentials, the IdP informs ArcGIS Online of the verified identity of the member who is signing in, and the member is redirected back to their ArcGIS Online website.
If the member chooses the ArcGIS option, the sign-in page for ArcGIS Online appears. The member can then provide their ArcGIS username and password to access the website.
IdP-initiated logins
With IdP-initiated logins, members directly access their organization's login manager and sign in with their account. When the member submits their account information, the IdP sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their ArcGIS Online website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using an ArcGIS account directly from the login manager is not available with IdP logins. To sign in toArcGIS Online using ArcGIS accounts, members must access their ArcGIS Online website directly.
Configure SAML logins
The process of configuring IdPs with ArcGIS Online is described below. Before proceeding, it is recommended that you contact the administrator of your IdP or federation of IdPs to obtain the required parameters for configuration. For example, if your organization uses Microsoft Entra ID, the administrator responsible for this is the person to contact to configure or enable SAML on the IdP side and obtain the necessary parameters for configuration on the ArcGIS Online side. You can also access and contribute to detailed third-party IdP configuration documentation in the ArcGIS/idp GitHub repository.
- Confirm that you are signed in as an administrator or custom role with privileges to configure security settings.
- At the top of the site, click Organization and click the Settings tab.
- If you plan to allow members to join automatically, configure default settings for new members first. If necessary, you can change these settings for specific members after they have joined the organization.
- Click New member defaults on the side of the page.
- Select the default user type and role for new members.
- Select the add-on licenses to automatically assign members when they join the organization.
- Select the groups to which members will be added when they join the organization.
- If credit budgeting is enabled for the organization, set the credit allocation for each new member to a specified number of credits or no limit.
- Optionally, enable Esri access for new members.
A member whose account has Esri access enabled can use My Esri, take training courses, participate in Esri Community, add comments to ArcGIS Blog, and manage email communications from Esri. The member cannot enable or disable their own access to these Esri resources.
- Click Security on the side of the page.
- In the Logins section, click New SAML login.
- In the window that appears, select one of the following:
- One identity provider—Allows users to sign in using their existing SAML credentials managed by your organization. This is the most common configuration.
- A federation of identity providers—Allows users belonging to an existing interorganizational federation, such as the SWITCHaai federation, to sign in with credentials supported by the federation.
- Click Next.
- If you selected One identity provider, do the following:
- Provide the name of your organization.
- Choose how members with SAML logins will join your ArcGIS Online organization: automatically or through an invitation. The automatic option allows members to join the organization by signing in with their SAML login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization or add them directly using their SAML ID.
- Provide ArcGIS Online with metadata information about your IdP by specifying the source that ArcGIS Online will access to obtain metadata information about the IdP.
There are three possible sources for this information:
- A URL—Provide a URL that returns metadata information about the IdP.
- A File—Upload a file that contains metadata information about the IdP.
- Parameters specified here—Directly provide the metadata information about the IdP by supplying the following parameters:
- Login URL (Redirect)—Provide the IdP URL (that supports HTTP redirect binding) that ArcGIS Online will use to allow a member to sign in.
- Login URL (POST)—Provide the IdP URL (that supports HTTP POST binding) that ArcGIS Online will use to allow a member to sign in.
- Certificate—Provide the certificate, encoded in the BASE 64 format, for the IdP. This is the certificate that allows ArcGIS Online to verify the digital signature in the SAML responses sent to it from the IdP.
Note:
Contact the administrator of the IdP if you need help determining which source of metadata information you need to provide.
- If you selected A federation of identity providers, do the following:
- Provide the name of your federation.
- Choose how members with SAML logins will join your ArcGIS Online organization: automatically or through an invitation. The automatic option allows members to join the organization by signing in with their SAML login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite members to join the organization or add them directly using their SAML ID.
- Provide the URL to the centralized IdP discovery service hosted by the federation—for example, https://wayf.samplefederation.com/WAYF.
- Provide the URL to the federation metadata, which is an aggregation of the metadata of all IdPs and SPs participating in the federation.
- Copy and paste the certificate, encoded in Base64 format, that allows the organization to verify the validity of the federation metadata.
- Click Show advanced settings to configure the following advanced settings as applicable:
- Allow Encrypted Assertion—Enable this option to indicate to the SAML IdP that ArcGIS Online supports encrypted SAML assertion responses. When this option is enabled, the IdP encrypts the assertion section of the SAML response. All SAML traffic to and from ArcGIS Online is already encrypted by the use of HTTPS, but this option adds another layer of encryption.
Note:
Some IdPs do not encrypt assertions by default. It is recommended that you ask your IdP administrator to ensure that encrypted assertions are enabled.
- Enable signed request—Enable this option to have ArcGIS Online sign the SAML authentication request sent to the IdP. Signing the initial login request sent by ArcGIS Online allows the IdP to verify that all login requests originate from a trusted SP.
- Propagate logout to Identity Provider—Enable this option to have ArcGIS Online use a logout URL to sign out the user from the IdP. Provide the URL to use in the Logout URL setting. If the IdP requires the logout URL to be signed, the Enable signed request option also must be turned on. When this option is unavailable, clicking Sign Out in ArcGIS Online will sign out the user from ArcGIS Online but not from the IdP. If the user's web browser cache is not cleared, attempting to immediately sign back in to ArcGIS Online using the SAML login option will result in an immediate login without needing to provide user credentials to the SAML IdP. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Enable this option to automatically synchronize account information (full name and email address) stored in ArcGIS Online user profiles with the latest account information received from the IdP. Enabling this option allows your organization to verify, when a user signs in with a SAML login, whether the IdP information has changed since the account was created and if so, to update the user's ArcGIS Online account profile accordingly.
- Enable SAML based group membership—Enable this option to allow organization members to link specified SAML-based groups to ArcGIS Online groups during the group creation process. When you enable this option, organization members with the privilege to link to SAML groups have the option of creating an ArcGIS Online group whose membership is controlled by a SAML group managed by an external SAML IdP. Once a group is successfully linked to an external SAML-based group, each user's membership in the group is defined in the SAML assertion response received from the IdP every time the user signs in.
To ensure that the ArcGIS Online group is successfully linked to the external SAML group, the creator of the group must provide the exact value of the external SAML group as it is returned in the attribute value of the SAML assertion. View the SAML assertion response from your SAML IdP to determine the value used to reference the group. The supported names, which are not case sensitive, for the attribute defining a user's group membership are as follows:
- Group
- Groups
- Role
- Roles
- MemberOf
- member-of
- https://wso2.com/claims/role
- http://schemas.xmlsoap.org/claims/Group
- http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
- urn:oid:1.3.6.1.4.1.5923.1.5.1.1
- urn:oid:2.16.840.1.113719.1.1.4.1.25
For example, a user signing in is a member of the SAML groups FullTimeEmployees and GIS Faculty. In the SAML assertion received from the IdP, as shown below, the name of the attribute that contains group information is MemberOf. In this example, to create a group linked to the SAML group GIS Faculty, the group creator must type GIS Faculty as the group name.
<saml2p:Response> ... ... <saml2:Assertion> ... ... <saml2:AttributeStatement> ... ... <saml2:Attribute Name="MemberOf"> <saml2:AttributeValue>FullTimeEmployees</saml2:AttributeValue> <saml2:AttributeValue>GIS Faculty</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>The following is another example using ID values to identify the groups:
<saml2p:Response> ... ... <saml2:Assertion> ... ... <saml2:AttributeStatement> ... ... <saml2:Attribute Name="urn:oid:2.16.840.1.113719.1.1.4.1.25" FriendlyName="groups"> <saml2:AttributeValue>GIDff63a68d51325b53153eeedd78cc498b</saml2:AttributeValue> <saml2:AttributeValue>GIDba5debd8d2f9bb7baf015af7b2c25440</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response> - Logout URL—If you chose One identity provider in a previous step, provide the IdP URL to use to sign out the currently signed-in user. If this property is specified in the IdP's metadata file, it is automatically set.
- Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to the SAML IdP or SAML federation.
- Allow Encrypted Assertion—Enable this option to indicate to the SAML IdP that ArcGIS Online supports encrypted SAML assertion responses. When this option is enabled, the IdP encrypts the assertion section of the SAML response. All SAML traffic to and from ArcGIS Online is already encrypted by the use of HTTPS, but this option adds another layer of encryption.
- When finished, click Save.
- To complete the configuration process, establish trust with the federation's discovery service (if applicable) and your IdP by registering the ArcGIS Online SP metadata with them. There are two ways to obtain this metadata:
- Click Download service provider metadata to download the metadata file for your organization.
- Open the URL of the metadata file and save it as an .xml file on your computer. You can view and copy the URL in the Edit SAML login window under Link to download the service provider metadata.
Links to instructions for registering the SP metadata with certified providers are available in the SAML IdPs section above. If you selected A federation of identity providers, once you've downloaded the SP metadata, contact the administrators of the SAML federation for instructions on how to integrate your SP metadata into the federation's aggregated metadata file. You will also need instructions from them to register your IdP with the federation.
Modify or remove the SAML IdP
When you've set up a SAML IdP, you can update the settings for it by clicking Configure login next to the currently registered SAML IdP. Update the settings in the Edit SAML login window.
To remove the currently registered IdP, click Configure login next to the IdP and click Delete login in the Edit SAML login window. Once you've removed an IdP, you can optionally set up a new IdP or federation of IdPs.
Best practices for SAML security
To enable SAML logins, you can configure ArcGIS Online as a SP for your SAML IdP. To ensure security, consider the following best practices.
Digitally sign the SAML login and logout requests and sign the SAML assertion response
Signatures are used to ensure the integrity of SAML messages and are a safeguard against man-in-the-middle (MITM) attacks. Digitally signing the SAML request also ensures that the request is sent by a trusted SP, allowing the IdP to better handle denial-of-service (DOS) attacks. Turn on the Enable signed request option in advanced settings when configuring SAML logins.
Note:
- Enabling signed requests requires the IdP to be updated whenever the signing certificate used by the SP is renewed or replaced.
- Enabling signed requests requires the SP (ArcGIS Online) to be updated whenever the signing certificate used by the IdP is renewed or replaced.
Configure the SAML IdP to sign the SAML response to prevent in-transit altering of the SAML assertion response.
Use the HTTPS endpoint of the IdP
Any communication between the SP, the IdP, and the user's browser that is sent over either an internal network or the internet in an unencrypted format can be intercepted by a malicious actor. If your SAML IdP supports HTTPS, it is recommended that you use the HTTPS endpoint to ensure the confidentiality of data transmitted during SAML logins.
Encrypt the SAML assertion response
Using HTTPS for SAML communication secures the SAML messages sent between the IdP and SP. However, signed-in users can still decode and view the SAML messages through the web browser. Enabling the encryption of the assertion response prevents users from viewing confidential or sensitive information communicated between the IdP and SP.
Note:
Enabling encrypted assertions requires the IdP to be updated whenever the encryption certificate used by the SP (ArcGIS Online) is renewed or replaced.
Securely manage the SAML IdP's signing certificate
It is recommended that you configure your SAML IdP to use a certificate with a strong cryptographic key for digitally signing the SAML assertion response. If the SAML IdP certificate is renewed, you must immediately update your ArcGIS Online organization's SAML configuration with the new certificate to ensure SAML logins continue working. It is recommended that you update the SAML IdP certificate when your ArcGIS Online organization is undergoing scheduled maintenance.
Note:
The certificate used to sign SAML requests and encrypt the assertion response is managed by ArcGIS Online and renewed annually.
After obtaining the new IdP certificate encoded in the BASE 64 format from your SAML IdP administrator, do the following to replace the certificate for your organization's SAML login configuration:
- Obtain the latest SAML IdP metadata from your SAML IdP administrator.
- Confirm that you are signed in as an administrator or custom role with privileges to configure security settings.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the side of the page.
- In the Logins section, click Configure login next to the SAML login toggle button.
- In the Edit SAML login window, click File under Metadata source for Enterprise Identity Provider.
- Click Choose File and browse to and select the new IdP metadata file received from the SAML IdP administrator.
- Click Save to update the ArcGIS Online SAML login configuration to use the new certificate.