ArcGIS Enterprise - SAML2 Group Support

Idea created by sxteagle-co-nz-esridist Employee on Dec 7, 2017
    New
    Score20
    • Sharmanc
    • james.gunn@ccc.govt.nz

    Currently ArcGIS Enterprise allows for authentication with an ADFS (or other SAML2) Identity Provider.  The NameID is used from the SAML2 Claim to match to the name as created in Portal and gain access.

     

    If I want to authorise a user against a group, then I have to connect the ArcGIS Enterprise to the domain to determine the Enterprise Groups that the user is assigned to.  It appears that a 'text match' is used to match NameIDs to the names of users retrieved from the AD Groups on a scheduled basis.

     

    The SAML specification supports a list of groups to be passed as a part of the SAML2 claim.  If it was possible to create a Portal Group with a name exactly equal to the enterprise group in the claim then it 'should' be possible to string match the portal group name and the enterprise group name for use in authorising the user purely from the SAML2 claim.

     

    From a Professional Services point of view, we find ourselves deploying ArcGIS Enterprise in the cloud for customers who are exposing ADFS services, but who are not exposing their AD/LDAP to "that" cloud instance.  Because of this the Enterprise Groups are not available.  Presenting the Groups as a part of the SAML2 Claim would be a relatively simple way for the customer to present their Enterprise Groups to a non-AD connected ArcGIS Enterprise.  

     

    We have also seen a similar issue in customers that 'zone' their networks.  i.e. the AD exists in the 'corportate' domain, but the GIS is present in a DMZ where AD is not configured/available.  SAML2 provides a perfect way of sharing identity, but they cannot support enterprise groups as things are implemented at the moment.

     

    While I am focussed on ArcGIS Enteprise, I believe this concept could also lend itself to well to ArcGIS Online authorisation as well.