140 likes | 153 Views
Learn to configure Enterprise logins to allow users to access ArcGIS Online using their existing login credentials, ensuring a simplified and secure single sign-on experience. Explore account creation options and the underlying concepts of Enterprise logins. Discover the prerequisites, certified identity providers, and the process of migrating to Enterprise logins. Utilize tools like ArcGIS Online Assistant and Geo-Jobe AdminTools.
E N D
Using Your Own Authentication System with ArcGIS Online Carsten Piepel
Overview At the end of this demo theater you will know how to configure Enterprise logins, which will allow your organization’s users to log in to ArcGIS Online using the same logins that they use to access your enterprise information systems
Account Creation Options for Adding Members • Built-in ArcGIS Accounts: • Pre-create user accounts • Invite users using pre-established usernames • Invite existing users • Enterprise Accounts: • Automatic account creation on first login • By invitation
Why Enterprise Logins? No need to remember multiple logins Provide single sign-on user experience Simplify organizational change management Optionally eliminate need to invite users explicitly Enforce password policies not available in ArcGIS Online
Enterprise Login Concepts Enterprise logins feature relies on Security Assertion Markup Language (SAML) 2.0 Web Browser SSO Profile SAML distinguishes three roles: The principal: Typically a user, but could be an application as well The service provider: Here, ArcGIS Online The identity provider: Your organization’s authentication system
Prerequisites • An ArcGIS Online organizational subscription • A user store, e.g. Active Directory or LDAP • An identity provider that supports SAML 2.0 Web Browser SSO Profile • The following parameters: • Identity provider metadata URL or • Identity provider metadata file or • Identity provider metadata properties and X.509 certificate
Identity Provider Certified identity providers for ArcGIS Online: Active Directory Federation Services (AD FS) 2.0 and later NetIQ Access Manager 3.2 and later OpenAM 10.1.0 and later Shibboleth 3.2 and later SimpleSAMLphp 1.10 and later Other identity providers that organizations are using successfully: CA SiteMinder Oracle Identity Manager Okta
Service Provider Initiated Logins ArcGIS Service Provider (1) Request Access (2) Redirect to Login URL (5) Use ArcGIS Online (3) Verify User Identity IdentityProvider User (4) Redirect to Target URL (with SAML Assertion) * Option to use ArcGIS Account Firewall
Identity Provider Initiated Logins ArcGIS Service Provider (3) Use ArcGIS Online (1) Sign-in Identity Provider (2) Redirect to Target URL (with SAML Assertion) User * No option to use ArcGIS Account Firewall
Identity Provider Configuration ArcGIS Online requires information to be included in the SAML assertion: Name ID: Username. ArcGIS Online username will be NameID_<url_key_for_org> Given Name (optional): The user’s full name, e.g. first and last name Email Address (optional): The user’s email address Set up your IDP to include this information in the SAML response
Migrating to Enterprise Logins • Not all apps support Enterprise logins • Generally, Esri off-the-shelf apps work with Enterprise logins • Be mindful of user’s content and group membership when migrating existing users to Enterprise logins • Be mindful of not exceeding your named user limit • Use tools: • ArcGIS Online Assistant (https://ago-assistant.esri.com/) • Geo Jobe AdminTools (http://www.geo-jobe.com/admin-tools/)
Portal for ArcGIS • In addition to SAML, also supports Enterprise logins via web-tier authentication or portal-tier authentication • Available with Portal for ArcGIS 10.3 or later • Offers Enterprise logins and Enterprise groups • Group membership can be determined automatically based on LDAP or Active Directory groups
Help Resources Set up Enterprise Logins:https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm Configure Active Directory Federation Services: https://doc.arcgis.com/en/arcgis-online/reference/configure-adfs.htm Migrating to enterprise logins: https://github.com/Esri/ago-admin-wiki/wiki/Migrating-to-enterprise-logins Contact: cpiepel@esri.com