Set up Enterprise Logins
Configuring Enterprise Logins allows your organization’s users to log in to ArcGIS Online using the same logins that they use to access your enterprise information systems. The approach used to achieve this is known as SAML Web Single Sign On. The advantages of setting up enterprise logins using this approach are that users do not need to create additional logins within the ArcGIS Online system; instead, they use the login that is already set up within their enterprise system. When users log in to ArcGIS Online, they enter their enterprise user name and password directly into your enterprise’s login manager, also known as your enterprise identity provider. Upon verification of the user’s login the enterprise identity provider informs ArcGIS Online of the verified identity for the user who is logging in.
ArcGIS Online supports Security Assertion Markup Language 2.0 (SAML) for configuring Enterprise Logins. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single Sign On.
You will need to contact the administrator of your enterprise identify provider to get the parameters needed for configuration (discussed in the steps below). For example, if your organization uses Microsoft Active Directory, the administrator responsible for this would be the right person to contact in order to configure or enable SAML on the enterprise identity provider side and get the necessary parameters needed for configuration on the ArcGIS Online side.
Add members through Enterprise Logins
As part of the Enterprise Login setup process, you decide if users join the organization automatically or through an invitation. The automatic option allows users to join the organization by signing in with their enterprise login. With the invitation option, you generate email invitations through ArcGIS Online that include instructions on how to join the organization. If you choose the automatic option, you can still invite users to join the organization.
Set up federation with an enterprise identity provider
- Within the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that opens.
- Choose how users with enterprise logins will join your ArcGIS Online organization—automatically or through an invitation.
- Provide ArcGIS Online with metadata information about your SAML-compliant enterprise identity provider.
Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the SAML-compliant enterprise identity provider. Contact the administrator for your identity provider to determine which source of metadata information you will provide. There are three possible sources for this information:
- URL—Enter a URL that returns metadata information about the identity provider.
- File—Upload a file that contains metadata information about the identity provider.
- Parameters—Directly enter the metadata information about the identity provider by supplying the following parameters:
Login URL—Enter the URL that ArcGIS Online should use to allow a user to log in.
HTTP-Redirect or HTTP-Post—Select whether to connect to the identity provider over HTTP or through a redirect.
X.509 certificate—Provide the certificate for the enterprise identity provider. This is the certificate that allows ArcGIS Online to decrypt encrypted SAML responses sent to it from the enterprise identity provider.
- To complete the federation process and establish trust you will need to download the corresponding metadata file for the service provider (ArcGIS Online) and register it with your enterprise identity provider. Download this file using the Get Service Provider button.
Change registered enterprise identity provider
You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you have set up an identity provider. Once you have removed the identity provider you can set up a new one, if desired.