Skip To Content

Configure Shibboleth

You can configure Shibboleth 3.2x and 3.3.x as your identity provider (IDP) for enterprise logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise IDP with ArcGIS Online and registering ArcGIS Online with the enterprise IDP.

Required information

ArcGIS Online requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with ArcGIS Online work. When a user from the IDP signs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

ArcGIS Online supports flow-in of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email, or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the IDP.

It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications. If the user has administrator privileges, they will also be able to send invitations to others users to join the organization.

Register Shibboleth as the enterprise IDP with ArcGIS Online

  1. Verify that you are signed in as an administrator of your organization and click Organization > Edit Settings > Security.
  2. In the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that appears (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
    Note:

    You can only register one enterprise IDP for your ArcGIS Online organization.

  3. Choose if users will be able to join the organization Automatically or Upon invitation from an administrator. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator; their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to invite the necessary users to the organization. When the user receives the invitation, they will be able to sign in to the organization.
  4. Provide metadata information for the IDP using one of the two options below:
    • File—By default, Shibboleth provides the IdP metadata file in SHIBBOLETH_HOME/metadata. If the metadata file is accessible, choose the File option for the metadata of the enterprise IDP and browse to the SHIBBOLETH_HOME/metadata/idp-metadata.xml file. ArcGIS Online validates the signature in SAML assertion responses from Shibboleth using the first signing certificate in the IDP metadata file. However, by default, the first signature listed in the Shibboleth IDP metadata file is for back channel TLS communication, while the second one is for signing assertion responses. You will need to either comment out the first signature or move it below the second one, and use the updated metadata file to register Shibboleth with ArcGIS Online. The signatures are defined using the <KeyDescriptor use="signing"> element in the metadata file.
    • Parameters—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your Shibboleth administrator to obtain these.
  5. Configure the advanced settings as applicable:
    • Encrypt Assertion—Select this option if Shibboleth will be configured to encrypt SAML assertion responses.
    • Enable Signed Request—Select this option to have ArcGIS Online sign the SAML authentication request sent to Shibboleth.
    • Entity ID—Update this value to use a new entity ID to uniquely identify your ArcGIS Online organization to Shibboleth.
    Note:

    Currently, Propagate logout to Identity Provider and Logout URL are not supported.

Register ArcGIS Online as the trusted service provider with Shibboleth

  1. Configure ArcGIS Online as a relying party in Shibboleth.
    1. Obtain the metadata file of your ArcGIS Online organization and save it as an XML file.

      To get the metadata file, sign in as an administrator of your organization and open your organization page. Click the Edit Settings button, click the Security tab, and in the Enterprise Logins section, click the Get Service Provider button.

    2. Add ArcGIS Online as the trusted service provider in Shibboleth by defining a new MetadataProvider element in the SHIBBOLETH_HOME/conf/metadata-providers.xml file.

      Add the snippet below within the root MetadataProvider element. Provide the path to your organization's metadata XML file (saved in step 1.a above).

      <MetadataProvider id="EsriSP" xsi:type="FilesystemMetadataProvider"
      xmlns="urn:mace:shibboleth:2.0:metadata" 
      	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      	xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"
      	failFastInitialization="true"
      	metadataFile=" <PATH_TO_THE_SAVED_METADATA>/esri-sp-metadata.xml" />
  2. Configure user authentication. In the following example, an LDAP Directory Server is configured as the user store by updating the necessary properties in the SHIBBOLETH_HOME/conf/ldap.properties: file.

    idp.authn.LDAP.authenticator = bindSearchAuthenticator

    idp.authn.LDAP.ldapURL = ldaps://myldap.example.org:port

    idp.authn.LDAP.baseDN = ou=People,dc=example,dc=org

    idp.authn.LDAP.userFilter= (uid={user})

    idp.authn.LDAP.bindDN = cn=readonlyuser,dc=example,dc=org

    idp.authn.LDAP.bindDNCredential = userpassword

  3. Configure the user attributes to be returned by Shibboleth.
    1. Edit SHIBBOLETH_HOME/conf/attribute-resolver.xml. Comment or delete all existing example attribute definitions and data connectors.
    2. Copy the definitions for mail and givenName from the SHIBBOLETH_HOME/conf/attribute-resolver-full.xml file to the SHIBBOLETH_HOME/conf/attribute-resolver.xml file.
    3. Copy the LDAP Data Connector section from SHIBBOLETH_HOME/conf/attribute-resolver-ldap.xml to SHIBBOLETH_HOME/conf/attribute-resolver.xml. Copy the definition for uid or any other attribute you want to return as the NAMEID attribute.
    4. Configure the attributes to release to the service provider. Edit the SHIBBOLETH_HOME/conf/attribute-filter.xml file and add the following:
    <AttributeFilterPolicy id="ArcGIS">
            <PolicyRequirementRule xsi:type="Requester" value="[The Entity ID of your ArcGIS Online organization]" />
    			<AttributeRule attributeID="<NameID Attribute>">
    				<PermitValueRule xsi:type="ANY" />
    			</AttributeRule>
    
    			<AttributeRule attributeID="givenName">
    				<PermitValueRule xsi:type="ANY" />
    			</AttributeRule>
    
    			<AttributeRule attributeID="mail">
    				<PermitValueRule xsi:type="ANY" />
    			</AttributeRule>
    		</AttributeFilterPolicy>
  4. Edit the SHIBBOLETH_HOME/conf/relying-party.xml file.
    1. Copy the XML code below and paste it inside the shibboleth.RelyingPartyOverrides elements to override the default configuration for the Shibboleth Identity Provider:
      <bean parent="RelyingPartyByName" c:relyingPartyIds="[The Entity ID of your ArcGIS Online organization]">
      <property name="profileConfigurations">
       <list>
        <bean parent="SAML2.SSO" 
         p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />
       </list>
      </property>
      </bean>

      The nameIDFormatPrecedence parameter instructs the IDP to send the SAML name ID attribute in the unspecified format, which is required by ArcGIS Online and Portal for ArcGIS.

    2. Turn off assertion encryption in the Shibboleth Identity Provider by setting the encryptAssertions parameter to false.
      <bean parent="RelyingPartyByName" c:relyingPartyIds="[The Entity ID of your ArcGIS Online organization]">
      		<property name="profileConfigurations">
      			<list>
      				<bean parent="SAML2.SSO" 
      					p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" 
      					p:encryptAssertions="false" />
      			</list>
      		</property>
      		</bean>
  5. Edit the SHIBBOLETH_HOME/conf/saml-nameid.xml file and replace this section:
    <!--
    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
       p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
       p:attributeSourceIds="#{ {'mail'} }" />
    -->

    with the following:

    <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
                p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
                p:attributeSourceIds="#{ {'your-name-id-attribute'} }" />

  6. Restart the Shibboleth daemon (Linux) or service (Windows).