Skip To Content

Configure G Suite

You can configure G Suite as your identity provider (IDP) for enterprise logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise IDP with ArcGIS Online and registering ArcGIS Online with the enterprise IDP.

Required information

ArcGIS Online requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with ArcGIS Online work. Since ArcGIS Online uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

ArcGIS Online supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.

It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

Configure enterprise logins


The following steps require a Google account with super administrator privileges for the G Suite subscription.

  1. Log in to your Google Admin console ( to access the administrator dashboard.
  2. From the Admin console Home page, go to Apps.

    To see Apps on the Home page, you might need to click More controls at the bottom. You can also use the main menu to access Apps.

  3. Click SAML Apps and click the plus (+) button in the bottom corner.
  4. In the window that appears, click Set up My Own Custom App.
  5. In the Google IdP Information window, for Option 2, click Download to download the IDP metadata. Save this file to a location on your local storage.
  6. Click Next.
  7. Open a new browser window and go to ArcGIS Online.
  8. Verify that you are signed in as an administrator of your organization.
  9. At the top of the site, click Organization and click the Settings tab.
  10. Click Security on the left side of the page.
  11. In the Enterprise Logins section, select the One identity provider option, click the Set Enterprise Login button, and type your organization's name in the window that appears (for example, City of Redlands). When users access the organization website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
  12. Choose Automatically or Upon invitation from an administrator to specify how users are able to join the organization. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
  13. Provide metadata information for the IDP by choosing the File option. Use the IDP metadata file that you downloaded earlier.
  14. Leave the advanced settings unchanged and click Set Identity Provider.
  15. Click Get Service Provider and save the service provider metadata file locally.

    Information in this file will be used to register the organization as the trusted service provider with G Suite.

  16. Open the file in a text editor, such as Notepad.
  17. Return to the browser window for the Google Admin console. In the Basic Information for your Custom App window, type a name for your application and click Next.
  18. In the Service Provider Details window, complete the following parameters using the content from the organization's metadata file:
    1. For ACS URL, copy the value of the AssertionConsumerService element.

      Example: https://[org name]

    2. For Entity ID, copy the value of the entityID attribute.

      Example: [org name]

    3. For Start URL, copy the value of the OrganizationURL attribute.

      Example: https://[org name]

    4. Leave Name ID as Basic Information Primary Email (or another unique attribute that your G Suite subscription uses).
    5. Leave Name ID Format as Unspecified.
  19. Click Next.
  20. In the Attribute Mapping window, type givenName, choose Basic Information, and then choose First Name.
  21. Click Finish to complete the configuration.
  22. Click Edit Service. For Service status, choose On for everyone and click Save.