Configure Active Directory Federation Services 2.0
You can configure Active Directory Federation Services 2.0 (AD FS) in the Microsoft Windows Server operating system as your identity provider for Enterprise Logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise identity provider with ArcGIS Online and registering ArcGIS Online with the enterprise identity provider.
Register AD FS as the enterprise identity provider with ArcGIS Online
- Verify that you are logged in and that you are an administrator of your organization.
- Click the My Organization button at the top of the site. Your organization page opens.
- Click the Edit Settings button.
- Click the Security link on the left side of the page.
- Within the Enterprise Logins section, click the Set Identity Provider button.
- Enter a name for the identity provider in the window that opens.
- Provide metadata information for the identity provider using one of the three options below:
- URL—Choose this option if the URL of AD FS federation metadata is accessible. This is usually https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml.
- File—Choose this option if the URL is not accessible. Get a copy of this same file from AD FS and upload the file to ArcGIS Online using the File option.
- Parameters—Choose this option if the URL or file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your AD FS administrator to obtain these.
Register ArcGIS Online as the trusted service provider with AD FS
- Open the AD FS 2.0 management console.
- Choose Relying Party Trusts > Add Relying Party Trust.
- In the Add Relying Party Trust Wizard, click the Start button.
- For Select Data Source, choose one option for obtaining data about the relying party: import from a URL, import from a file, or enter manually. URL and file require that you obtain the metadata from your organization. If you don't have access to the metadata URL or file, you can enter the information manually. In some cases, entering the data manually may be the easiest option.
- Import data about the relying party published online or on a local network
This option uses the URL metadata of your ArcGIS Online organization. The URL is https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY.
Generate a token using https://www.arcgis.com/sharing/rest/generateToken. You need to generate a token using HTTP POST programmatically with JSON output format. For more information, see ArcGIS REST API.
- Import data about the relying party from a file
This option uses a metadata.xml file from your ArcGIS Online organization. There are two ways you can get a metadata XML file.
Open the URL of the metadata of your ArcGIS Online organization and save as an XML file on your computer. The URL is https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/generateToken.
Alternatively, within the Security section of the Edit Settings page for your organization, click the Get Service Provider button. This gives the metadata for your organization which you can save as an XML file on your computer.
- Enter data about the relying party manually
With this option, the Add Relying Party Trust Wizard displays additional windows where you enter the data manually. These are explained in steps 6 through 8 below.
- Import data about the relying party published online or on a local network
- For Specify Display Name, enter the display name.
The display name is used to identify the relying party in AD FS. Outside of this it doesn’t have any meaning. This should be set to either ArcGIS or to the name of the organization within ArcGIS, for example, ArcGIS—SamlTest.Tip:
The above image shows the Specify Display Name window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard which are explained in steps 6 through 8 below. If you selected URL or file, you can skip to step 9.
- (Manual data source only) For Choose Profile, choose AD FS 2.0 profile.
- (Manual data source only) For Configure URL, check the box next to Enable support for the SAML 2.0 WebSSO protocol and enter the URL for the relying party SAML 2.0 SSO service.
The relying party URL should be the URL where AD FS sends the SAML response after authenticating the user. This should be an HTTPS URL: https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/oauth2/saml/signin.
- (Manual data source only) For Configure Identifiers, enter the URL for the relying party trust identifier.
This should be <urlkey_for_org>.maps.arcgis.com.
- For Choose Issuance Authorization Rules, choose Permit all users to access this relying party.Tip:
The above image shows the Choose Issuance Authorization Rules window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.
- For Ready to Add Trust, review all the settings for the replying party and click Next. Tip:
The metadata URL only gets populated if you chose to import the data source from a URL. The image below shows the Ready to Add Trust window if you chose to manually enter data source information.
- For Finish, check the box to automatically open the Edit Claim Rules dialog box after you click the Close button.Tip:
The above image shows the Finish window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.
- To set the claim rules, open the Edit Claim Rules wizard and click Add Rule.
- From Select Rule Template, select the Send LDAP Attributes as Claims template for the claim rule you want to create and click Next.
- From Configure Claim Rule, provide a name for the rule, for example, NameID.
- For Attribute store, select Active Directory.
- For Mapping of LDAP attributes to outgoing claim types, select the LDAP attribute that contains the user names (for example, SAM-Account-Name) for LDAP Attribute and NameID for Outgoing Claim Type.Note:
NameID is the attribute that must be sent by AD FS in the SAML Response to make the federation with ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.
- ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider into ArcGIS Online. When a user signs in using an enterprise login, and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.
Follow the instructions below to edit the claims rules.
- Under the LDAP Attribute column, choose Display·Name (or a different attribute from the list in the second row) and map it to Given Name under the Outgoing Claim Type column.
- Under the LDAP Attribute column, choose E·Mail-Addresses and map it to E·Mail Address under the Outgoing Claim Type column.
With this claim, AD FS sends attributes with the names givenname and email to ArcGIS Online after authenticating the user. ArcGIS Online then uses the values received in the givenname and the email attributes and populates the full name and the email address of the ArcGIS Online user account.
It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.
- Click Finish to finish configuring the AD FS identity provider to include ArcGIS Online as a relying party.