For a while we have recommended that the best approach for managing an ArcGIS Online or ArcGIS Enterprise portals is to enable enterprise logins, commonly referred to as Single Sign On (SSO). The information below may be useful for those who are not familiar, or have not implemented it, yet.
- SSO explained
- SSO enables a user to use the same set of credentials for signing in to multiple applications. This means that faculty and students can use the same credentials coming from their institution’s enterprise identity store to login to ArcGIS Online or ArcGIS Enterprise.
- What happens in the background? An ArcGIS Account still gets created for identity purposes that is linked to your enterprise credentials. This is not visible to the user.
- SSO can be setup for both ArcGIS Online as well as ArcGIS Enterprise, both referred to as “portal”, and can be setup for multiple portals.
- What will be alleviated with SSO
- Ease of access – one set of credentials will be used.
- User management – this is HUGE for academia. Enabling SSO means that no additional account logins need to be created for ArcGIS Online or ArcGIS Enterprise. We don’t have to add students to the portal manually (or via script), and share credentials with them.
- This could solve various inefficiencies associated with creating and managing multiple accounts, which takes time and thus is an incurred cost.
- Students have one account only, if one portal is used, which makes it easy to save projects and build their geosopatial portfolio. Without SSO, some institutions create different student accounts for different courses, which means that workflows would need to be in place to transfer student content.
- When a student is no longer attending the university, and have been removed from the institution's identity store, access can be prevented. They will no longer be able to login to the ArcGIS Online or ArcGIS Enterprise portal. As an administrator, it would be easy to find disabled accounts, determine what would be done with their content, then remove the student account from the portal.
- What you would still need to do (i.e. what problems it does not solve)
- Manage groups – a group for a course or project would still need to be created, and users added to it. SAML-based group membership functionality is now available.
- Manage content when student or faculty leaves the institution, if desired. The recommendation is to do nothing, as users may rely on this content. Geo Jobe Admin Tools, ArcGIS Online Assistant and the ArcGIS API for Python could be useful for managing content, and many other tasks, associated with portal management.
- How do we do it
- Work with your IT department and refer to the documentation – these are industry standards, and IT staff will be aware of them.
- Attached is a template letter to Campus IT staff that could be used to request SSO.
- Esri Technical Support is there to help if any issues arise.
- Note: Esri technology supports identity federation (allowing the use of identification coming from multiple enterprise systems) – as of June 2018 ArcGIS Online release.
Further feedback is welcome!