Configuring SimpleSAMLphp 1.10
You can configure SimpleSAMLphp 1.10 as your identity provider for Enterprise Logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise identity provider with ArcGIS Online and registering ArcGIS Online with the enterprise identity provider.
Step 1: Register SimpleSAMLphp as the enterprise identity provider with ArcGIS Online
- Configure an authentication source in the SimpleSAMLphp IdP.
- Create an authentication source.
SimpleSAMLphp supports authenticating users from various authentication sources such as LDAP server, users in an SQL server, Active Directory domain, and so on. The example below shows how to configure an Apache Directory Server as an authentication source in SimpleSAMLphp IdP.
Authentication sources can be configured in the <SimpleSAML_HOME>/config/authsources.php file. To configure LDAP server, open the config/authsources.php file and add an LDAP-based authentication source in the following format.
'example-ldapApacheDS' => array( 'ldap:LDAP', /* The hostname of the LDAP server. */ 'hostname' => 'host:port', /* Whether SSL/TLS should be used when contacting the LDAP server. */ 'enable_tls' => TRUE, /* * Which attributes should be retrieved from the LDAP server. * This can be an array of attribute names, or NULL, in which case * all attributes are fetched. */ 'attributes' => NULL, /* * The pattern which should be used to create the users DN given the username. * %username% in this pattern will be replaced with the users username. * * This option is not used if the search.enable option is set to TRUE. */ 'dnpattern' => 'uid=%username%,ou=users,ou=system', /* * As an alternative to specifying a pattern for the users DN, it is possible to * search for the username in a set of attributes. This is enabled by this option. */ 'search.enable' => FALSE, /* * The DN which will be used as a base for the search. * This can be a single string, in which case only that DN is searched, or an * array of strings, in which case they will be searched in the order given. */ 'search.base' => 'ou=users,ou=system', /* * The attribute(s) the username should match against. * * This is an array with one or more attribute names. Any of the attributes in * the array may match the value the username. */ 'search.attributes' => array('uid', 'mail'), /* * The username & password the simpleSAMLphp should bind to before searching. If * this is left as NULL, no bind will be performed before searching. */ 'search.username' => 'uid=admin,ou=system', 'search.password' => 'password', ),ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider into ArcGIS Online. When a user signs in using an enterprise login and if ArcGIS Online receives attributes with the names givenname and emailor mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.
It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.
- Configure the authentication source you created above as an authentication module in the SimpleSAMLphp IdP.
Open the metadata/ saml20-idp-hosted.php file and add the authentication source to use.
/* * Authentication source to use. Must be one that is configured in * 'config/authsources.php'. */ 'auth' => 'example-ldapApacheDS',
- Create an authentication source.
- Configure the name identifier format supported by the SimpleSAMLphp IdP.
Open the < SimpleSAML_HOME >/metadata/saml20-idp-hosted.php file and add the snippet below. In the following example, uid will be passed as NameID by the SimpleSAMLphp IdP to ArcGIS Online after authenticating the user.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'authproc' => array( 3 => array( 'class' => 'saml:AttributeNameID', 'attribute' => 'uid', 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', ), ), - Register the SimpleSAMLphp identity provider for your ArcGIS Online organization.
- Verify that you are logged in and that you are an administrator of your organization.
- Click the My Organization button at the top of the site. Your organization page opens.
- Click the Edit Settings button.
- Click the Security link on the left side of the page.
- Within the Enterprise Logins section, click the Set Identity Provider button.
- Enter a name for the identity provider in the window that opens.
- Provide metadata information for the identity provider using one of the three options below:
URL—Choose this option if the URL of SimpleSAMLphp federation metadata is accessible. This is usually https://<simpleSAML-server>/<saml-app-name>/saml2/idp/metadata.php.
File—Choose this option if the URL is not accessible. Save the metadata from the URL as an XML file and upload the file to ArcGIS Online using the File option.
Parameters—Choose this option if the URL or file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your SimpleSAMLphp administrator to obtain these.
Step 2: Register ArcGIS Online as the trusted service provider with SimpleSAMLphp
- Configure ArcGIS Online as a trusted service provider with SimpleSAML by configuring the <SimpleSAMLphp_HOME>/metatadata/saml20-sp-remote.php file.
- Obtain the metadata XML file of your ArcGIS Online organization.
To get the metadata file, log in to your organization as an administrator and open your organization page. Click the Edit Settings button, the Security tab, and within the Enterprise Logins section, click the Get Service Provider button.
- Convert the XML file you got in the above step to PHP format.
SimpleSAMLphp expects the service provider’s metadata information to be provided in PHP format. SimpleSAMLPHP provides an in-built XML to PHP metadata converter which by default is available as https://<simpleSAML-server>/<saml-app-name>/admin/metadata-converter.php in your simpleSAMLphp installation. Use the converter to convert the XML to PHP.
- Open the metatadata/saml20-sp-remote.php file and add the configuration of the service provider in PHP format created in step 2.1.b.
Below is an example of the added service provider's configuration in the metadata file.
/* The following is an AGOL organization service provider */ $metadata['citygis.maps.arcgis.com'] = array ( 'entityid' => ' citygis.maps.arcgis.com', 'name' => array ( 'en' => 'citygis ', ), 'description' => array ( 'en' => 'citygis ', ), 'OrganizationName' => array ( 'en' => 'citygis ', ), 'OrganizationDisplayName' => array ( 'en' => 'citygis ', ), 'url' => array ( 'en' => 'https://citygis.maps.arcgis.com', ), 'OrganizationURL' => array ( 'en' => 'https://citygis.maps.arcgis.com', ), 'contacts' => array ( ), 'metadata-set' => 'saml20-sp-remote', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://citygis.maps.arcgis.com/sharing/rest/oauth2/saml/signin', 'index' => 1, ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://citygis.maps.arcgis.com/sharing/rest/oauth2/saml/signin', 'index' => 2, ), ), 'SingleLogoutService' => array ( ), );
- Obtain the metadata XML file of your ArcGIS Online organization.
- Configure the attribute that gets passed as NameID to ArcGIS Online from the SimpleSAMLphp IdP after authenticating the user.
Add the attribute at the end of the service provider’s configuration you added in the previous step.
In the following example, uid is passed as NameID by the SimpleSAMLphp IdP to ArcGIS Online after authenticating the user. (Replace citygis.maps.arcgis.com with the URL of your organization.)
/* The following is a remote AGOL organization service provider */ $metadata['citygis.maps.arcgis.com'] = array ( 'entityid' => ' citygis.maps.arcgis.com', 'name' => array ( 'en' => 'citygis ', ), 'description' => array ( 'en' => 'citygis ', ), 'OrganizationName' => array ( 'en' => 'citygis ', ), 'OrganizationDisplayName' => array ( 'en' => 'citygis ', ), 'url' => array ( 'en' => 'https://citygis.maps.arcgis.com', ), 'OrganizationURL' => array ( 'en' => 'https://citygis.maps.arcgis.com', ), 'contacts' => array ( ), 'metadata-set' => 'saml20-sp-remote', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://citygis.maps.arcgis.com/sharing/rest/oauth2/saml/signin', 'index' => 1, ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://citygis.maps.arcgis.com/sharing/rest/oauth2/saml/signin', 'index' => 2, ), ), 'SingleLogoutService' => array ( ), 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'simplesaml.nameidattribute' => 'uid', ); /* The following indicates whether to send all the attributes received from the authentication source to the service provider or not. If true, it will send, otherwise it will not send all the attributes*/ 'simplesaml.attributes' => true,