Working with Active Directory Federation Service 2.0

BetaBeta:

ArcGIS Online beta enhancements are available to ArcGIS Online organizations. They are stable components of the site that may have incomplete functionality or documentation and may contain some minor issues.

Be aware that in the initial beta release the only option is for users to join automatically. This means that any user with an account within the identity provider can automatically join the ArcGIS Online organization by signing in to the organization using their enterprise login. In the final release, the administrator of the organization will be able to restrict membership to only those users who are explicitly invited into the ArcGIS Online organization.

If you have issues or are experiencing problems with any of the beta functionality, contact Esri Technical Support or visit the ArcGIS Online forum.

You can configure Enterprise Logins using Active Directory Federation Service 2.0 (ADFS). The process of configuring Enterprise Logins involves two main steps: registering the Enterprise Identity provider with ArcGIS Online and registering ArcGIS Online with the Enterprise Identity provider. Follow these two steps for configuring Enterprise Logins using ADFS.

Step 1: Register ADFS as the Enterprise Identity provider with ArcGIS Online

Steps:
  1. Verify that you are logged in and that you are an administrator of your organization.
  2. Click the My Organization link in the top banner. Your organization page opens.
  3. Click the Edit Settings button.
  4. Click the Security link on the left side of the page.
  5. Within the Enterprise Logins section, click the Set Identity Provider button.
  6. Enter a name for the Identity Provider in the window that opens.
  7. Provide metadata information for the Identity Provider using one of the three options below:
    • Choose URL if the URL of ADFS federation metadata is accessible. This is usually https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml.
    • Choose File if the URL is not accessible. Get a copy of this same file from ADFS and upload the file to ArcGIS Online using the File option.
    • Choose Parameters if the URL or file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your ADFS administrator to obtain these.

Step 2: Register ArcGIS Online as the trusted service provider with ADFS

Steps:
  1. Open ADFS 2.0 management console.
  2. Choose Relying Party Trusts > Add Relying Party Trust.
    ADFS management console
  3. In the Add Relying Party Trust Wizard, click the Start button.
    Welcome
  4. For Select Data Source, choose an option for obtaining data about the relying party—import from a URL, import from a file, or enter manually.
    • Import data about the relying party published online or on a local network.
      Import data from a URL

      This option uses the URL metadata of your ArcGIS Online organization. The URL is https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY.

      You can generate a token using https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/generateToken.

    • Import data about the relying party from a file
      Import from a file

      This option uses a metadata.xml file from your ArcGIS Online organization. There are two ways you can get a metadata XML file.

      Open the URL of the metadata of your ArcGIS Online organization and save as an XML file on your computer. The URL is https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.maps.arcgis.com/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/generateToken.

      Alternatively, within the Security section of the Edit Settings page for your organization, click the Get Service Provider button. This gives the metadata for your organization which you can save as an XML file on your computer.

    • Enter data about the relying party manually
      Enter data manually

      With this option, the Add Relying Party Trust Wizard displays additional windows where you enter the data manually. These are explained in steps 6 through 8 below.

  5. For Specify Display Name, enter the display name.
    Example display name for URL or file data source

    The display name is used to identify the relying party in ADFS. Outside of this it doesn’t have any meaning. This should be set to either ArcGIS or to the name of the organization within ArcGIS, for example, ArcGIS—SamlTest.

    TipTip:

    The above image shows the Specify Display Name window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard which are explained in steps 6 through 8 below. If you selected URL or file, you can skip to step 9.

  6. (Manual data source only) For Choose Profile, choose AD FS 2.0 profile.
    Choose Profile
  7. (Manual data source only) For Configure URL, check the box next to Enable support for the SAML 2.0 WebSSO protocol and enter the URL for the relying party SAML 2.0 SSO service.
    Configure URL

    The relying party URL should be the URL where ADFS sends the SAML response after authenticating the user. This should be an HTTPS URL: https://<urlkey_for_org>.maps.arcgis.com/sharing/rest/oauth2/saml/signin.

  8. (Manual data source only) For Configure Identifiers, enter the URL for the relying party trust identifier.
    Configure Identifiers

    This should be <urlkey_for_org>.maps.arcgis.com.

  9. For Choose Issuance Authorization Rules, choose Permit all users to access this relying party.
    Choose Issuance Authorization Rules
    TipTip:

    The above image shows the Choose Issuance Authorization Rules window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.

  10. For Ready to Add Trust, review all the settings for the replying party and click Next.
    Example of Ready to Add Trust
    TipTip:

    The metadata URL only gets populated if you chose to import the data source from a URL. The image below shows the Ready to Add Trust window if you chose to manually enter data source information.

    Example of Ready to Add Trust
  11. For Finish, check the box to automatically open the Edit Claim Rules dialog after you click the Close button.
    Finish

    TipTip:

    The above image shows the Finish window with the steps for importing the data source from a URL or file. If you chose to manually enter the data source information, you see additional steps on the left side of the wizard.

  12. To set the claim rules, open the Edit Claim Rules wizard and click Add Rule.
    Edit Claim Rules
  13. From Select Rule Template, select the Send LDAP Attributes as Claims template for the claim rule you want to create and click Next.
    Choose Rule Type
  14. From Configure Claim Rule, provide a name for the rule, for example, NameID.
    Configure Claim Rule
    1. For Attribute Store, select Active Directory.
    2. For Mapping of LDAP attributes to outgoing claim types, select the LDAP attribute that contains the user names (for example, SAM-Account-Name) for LDAP Attribute and NameID for Outgoing Claim Type.

      NoteNote:

      NameID is the attribute that must be sent by ADFS in the SAML Response to make the federation with ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID_<url_key_for_org> will be created by ArcGIS Online in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Online.

  15. Click Finish to finish configuring the ADFS Identity provider to include ArcGIS Online as a relying party.
Copyright © 1995-2013 Esri. All rights reserved.
5/16/2013