Setting up Enterprise Logins

BetaBeta:

ArcGIS Online beta enhancements are available to all ArcGIS Online organizations. They are stable components of the site that may have incomplete functionality or documentation and may contain some minor issues.

Be aware that in the initial beta release the only option is for users to join automatically. This means that any user with an account within the identity provider can automatically join the ArcGIS Online organization by signing in to the organization using their enterprise login. In the final release, the administrator of the organization will be able to restrict membership to only those users who are explicitly invited into the ArcGIS Online organization.

If you have issues or are experiencing problems with any of the beta functionality, contact Esri Technical Support or visit the ArcGIS Online forum.

Configuring Enterprise Logins allows your organization’s users to log in to ArcGIS Online using the same logins that they use to access your enterprise information systems. The approach used to achieve this is known as SAML Web Single Sign On. The advantages of setting up Enterprise Logins using this approach are that users will not need to create additional logins within the ArcGIS Online system; instead, they will use the login that is already set up within their Enterprise. When a user logs in to ArcGIS Online, they will be redirected to a login page within your Enterprise. The user will enter their Enterprise user name and password directly into your Enterprise’s login manager, also known as your Enterprise Identity Provider. Upon verification of the user’s login the Enterprise Identity Provider will inform ArcGIS Online of the verified identity of the user who is logging in.

ArcGIS Online supports SAML 2.0 for configuring Enterprise Logins. You will need to contact the administrator of your enterprise identify provider to get the parameters needed for configuration (discussed in the steps below). For example, if your organization is using Microsoft Active Directory, the administrator responsible for this would be the right person to contact in order to configure or enable SAML on the enterprise identity provider side and get the necessary parameters needed for configuration on the ArcGIS Online side.

What is SAML?

Security Assertion Markup Language known as SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case ArcGIS Online). ArcGIS Online is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single Sign On.

Setting up Federation with an Enterprise Identity Provider

Follow the steps below to set up your Identity Provider.

Steps:
  1. Within the Enterprise Logins section, click the Set Identity Provider button and enter your organization's name in the window that opens.
  2. Choose how users with Enterprise Logins will join your ArcGIS Online organization.
    • For initial beta, the only option is for users to join automatically. This means that any user with an account within the identity provider can automatically join the ArcGIS Online organization by signing in to the organization using their enterprise login.
    • In the final release, the administrator of the organization will be able to restrict membership to only those users who are explicitly invited into the ArcGIS Online organization.
    • By default, all users joining ArcGIS Online using their enterprise login account will be added to the organization with the privileges of a User. As an administrator, you can change their privilege level within ArcGIS Online to Publisher or Administrator.
      CautionCaution:

      Be aware that in the initial beta release any user with an enterprise login will be able to sign in to your organization once you set up the federation. In the final release, the administrator of the organization will be able to restrict membership to only those users who are explicitly invited into the ArcGIS Online organization.

  3. Provide ArcGIS Online with metadata information about your SAML compliant Enterprise Identity Provider.

    Do this by specifying the source that ArcGIS Online will access to obtain metadata information about the SAML compliant Enterprise Identity Provider. Contact the administrator for your Identity Provider to determine which source of metadata information you will provide. There are three possible sources for this information:

    • URL—Enter a URL that returns metadata information about the identity provider.
    • File—Upload a file that contains metadata information about the identity provider.
    • Parameters—Directly enter the metadata information about the identity provider by supplying the following parameters:

      Login URL—Enter the URL that ArcGIS Online should use to allow a user to log in.

      HTTP-Redirect or HTTP-Post—Select whether to connect to the identity provider over HTTP or through a redirect.

      X.509 certificate—Provide the certificate for the Enterprise Identity Provider. This is the certificate that allows ArcGIS Online to decrypt encrypted SAML responses sent to it from the Enterprise Identity Provider.

  4. Use the Advanced settings link to provide additional optional information about your Identity Provider.
    • Logout URL—Set the logout URL that ArcGIS Online will use when the user logs out of the organization.
    • User ID Attribute—Enter the User ID attribute in the SAML response from the identity provider that ArcGIS Online will use to get the user name for the user signing in. If this is not supplied, ArcGIS Online will use the default attribute name for this property, Subject/NameID.
  5. To complete the federation process and establish trust you will need to download the corresponding metadata file for the service provider (ArcGIS Online) and register it with your Enterprise Identity Provider. Download this file using the Get Service Provider button.
TipTip:

To set up Active Directory Federation Services 2.0 (ADFS) as your identity provider, follow the steps in Working with Active Directory Federation Services 2.0.

Changing the registered Enterprise Identity Provider

You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you have set up an Identity Provider. Once you have removed the identity provider you can set up a new one if desired.

5/16/2013