Using Your Own Authentication System with ArcGIS Online

1. Using Your Own Authentication System with ArcGIS Online Carsten Piepel

2. Overview At the end of this demo theater you will know how to configure Enterprise logins, which will allow your organization’s users to log in to ArcGIS Online using the same logins that they use to access your enterprise information systems

3. Account Creation Options for Adding Members • Built-in ArcGIS Accounts: • Pre-create user accounts • Invite users using pre-established usernames • Invite existing users • Enterprise Accounts: • Automatic account creation on first login • By invitation

4. Why Enterprise Logins? No need to remember multiple logins Provide single sign-on user experience Simplify organizational change management Optionally eliminate need to invite users explicitly Enforce password policies not available in ArcGIS Online

5. Enterprise Login Concepts Enterprise logins feature relies on Security Assertion Markup Language (SAML) 2.0 Web Browser SSO Profile SAML distinguishes three roles: The principal: Typically a user, but could be an application as well The service provider: Here, ArcGIS Online The identity provider: Your organization’s authentication system

6. Prerequisites • An ArcGIS Online organizational subscription • A user store, e.g. Active Directory or LDAP • An identity provider that supports SAML 2.0 Web Browser SSO Profile • The following parameters: • Identity provider metadata URL or • Identity provider metadata file or • Identity provider metadata properties and X.509 certificate

7. Identity Provider Certified identity providers for ArcGIS Online: Active Directory Federation Services (AD FS) 2.0 and later NetIQ Access Manager 3.2 and later OpenAM 10.1.0 and later Shibboleth 3.2 and later SimpleSAMLphp 1.10 and later Other identity providers that organizations are using successfully: CA SiteMinder Oracle Identity Manager Okta

8. Service Provider Initiated Logins ArcGIS Service Provider (1) Request Access (2) Redirect to Login URL (5) Use ArcGIS Online (3) Verify User Identity IdentityProvider User (4) Redirect to Target URL (with SAML Assertion) * Option to use ArcGIS Account Firewall

9. Identity Provider Initiated Logins ArcGIS Service Provider (3) Use ArcGIS Online (1) Sign-in Identity Provider (2) Redirect to Target URL (with SAML Assertion) User * No option to use ArcGIS Account Firewall

10. Identity Provider Configuration ArcGIS Online requires information to be included in the SAML assertion: Name ID: Username. ArcGIS Online username will be NameID_<url_key_for_org> Given Name (optional): The user’s full name, e.g. first and last name Email Address (optional): The user’s email address Set up your IDP to include this information in the SAML response

11. Demonstration

12. Migrating to Enterprise Logins • Not all apps support Enterprise logins • Generally, Esri off-the-shelf apps work with Enterprise logins • Be mindful of user’s content and group membership when migrating existing users to Enterprise logins • Be mindful of not exceeding your named user limit • Use tools: • ArcGIS Online Assistant (https://ago-assistant.esri.com/) • Geo Jobe AdminTools (http://www.geo-jobe.com/admin-tools/)

13. Portal for ArcGIS • In addition to SAML, also supports Enterprise logins via web-tier authentication or portal-tier authentication • Available with Portal for ArcGIS 10.3 or later • Offers Enterprise logins and Enterprise groups • Group membership can be determined automatically based on LDAP or Active Directory groups

14. Help Resources Set up Enterprise Logins:https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm Configure Active Directory Federation Services: https://doc.arcgis.com/en/arcgis-online/reference/configure-adfs.htm Migrating to enterprise logins: https://github.com/Esri/ago-admin-wiki/wiki/Migrating-to-enterprise-logins Contact: cpiepel@esri.com