Configuring OpenAM 10.1.0

You can configure OpenAM 10.1.0 as your identity provider for Enterprise Logins in ArcGIS Online. The configuration process involves two main steps: registering your enterprise identity provider with ArcGIS Online and registering ArcGIS Online with the enterprise identity provider.

Step 1: Register OpenAM as the enterprise identity provider with ArcGIS Online

Steps:
  1. Verify that you are logged in and that you are an administrator of your organization.
  2. Click the My Organization button at the top of the site. Your organization page opens.
  3. Click the Edit Settings button.
  4. Click the Security link on the left side of the page.
  5. Within the Enterprise Logins section, click the Set Identity Provider button.
  6. Enter a name for the identity provider in the window that opens.
  7. Provide metadata information for the identity provider using one of the three options below:
    • URL—Choose this option if the URL of OpenAM federation metadata is accessible by ArcGIS Online. The URL is usually http(s)://<host>:<port>/openam/saml2/jsp/exportmetadata.jsp.
    • File—If the URL is not accessible by ArcGIS Online, save the metadata obtained from the URL above as an XML file and upload the file.
    • Parameters—Choose this option if the URL or file is not accessible. Enter the values manually and supply the requested parameters: login URL, binding type, and certificate. Contact your OpenAM administrator to obtain these.

Step 2: Register ArcGIS Online as the trusted service provider with OpenAM

Steps:
  1. Configure a hosted identity provider in OpenAM.
    1. Sign in to OpenAM administration console. This is usually available at http://servername:port/<deploy_uri>/console.
    2. Under the Common Tasks tab, click Create Hosted Identity Provider.
    3. Create a hosted identity provider and add it to a Circle of Trust. You can add it to an existing circle of trust if you already have it or create a new circle of trust.
    4. By default, hosted identity provider works with OpenDJ, the embedded user store that comes with OpenAM. If you would like to connect OpenAM to any other user stores such as Active Directory, you need to create a new data source under the Access Control tab of the main OpenAM administration console.
  2. Configure ArcGIS Online as a trusted service provider with OpenAM.
    1. Obtain the metadata file of your ArcGIS Online organization and save it as an XML file.

      To get the metadata file, log in to your organization as an administrator and open your organization page. Click the Edit Settings button, the Security tab, and within the Enterprise Logins section, click the Get Service Provider button.

    2. In the OpenAM administration console under Common Tasks, click Register Remote Service Provider.
    3. Select the File option for the metadata and upload the metadata XML file saved in the previous step.
    4. Add this service provider to the same circle of trust you added your identity provider to.
  3. Configure NameID format and attributes that OpenAM needs to send to ArcGIS Online after authenticating the user.
    1. In the OpenAM administration console, click the Federation tab. The tab contains the circle of trust you previously added and the service and identity providers.
    2. Under Entity Providers, click your identity provider.
    3. In the Assertion Content tab, under Name ID Format, verify that urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is listed at the top. This is the format of the NameID that ArcGIS Online will request in its SAML request to OpenAM.
    4. Under Name ID Value Map, map an attribute from the user's profile, such as mail or upn, that will be returned as NameID to ArcGIS Online after the user is authenticated.

      Example:

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified =upn
    5. Click the Assertion Processing tab in the identity provider. Under Attribute Mapper, you can configure attributes from the user profile that you would like to be sent to ArcGIS Online.

      ArcGIS Online supports flow-in of the givenName and the email address attributes of the enterprise login from the enterprise identity provider into ArcGIS Online. When a user signs in using an enterprise login and if ArcGIS Online receives attributes with the names givenname and email or mail (in any case), ArcGIS Online populates the full name and the email address of the user account with the values received from the identity provider.

      It is recommended that you pass in the email address from the enterprise identity provider to ArcGIS Online. This helps if the user later becomes an administrator. Having an email address in the account entitles the user to receive notifications regarding any administrative activity and send invitations to other users to join the organization.

      Click Save to save the NameID format and the attribute content changes.

    6. In the Federation tab of the OpenAM administration console, browse to the ArcGIS Online service provider under Entity Providers. Configure the NameID format and the list of attributes to be sent to ArcGIS Online. Follow the same process you did in the previous step.
  4. Restart the web server where the OpenAM is deployed.
Copyright © 1995-2013 Esri. All rights reserved.
9/23/2013