idea OpenID Connect group membership in ArcGIS Enterprise Ideas

OpenID Connect group membership

AngusHooper1 — Mon, 21 Nov 2022 22:29:25 GMT

SAML identity providers integrated with ArcGIS Enterprise can support group membership. Similarly, it would be great to support OIDC backed group membership through calls to a groups or memberOf (etc) property.

Re: OpenID Connect group membership

sodtom — Tue, 22 Nov 2022 09:20:55 GMT

Even this is NOT a part nor compliance with current OIDC standard scopes / claims, this is feature that has been asked from several ArcGIS clients. Adding support for custom or enhanced scopes / claims like groups would be very helpful.

Re: OpenID Connect group membership

NicolasGIS — Tue, 29 Nov 2022 11:51:22 GMT

+1 !

As it is does not seem to be standard to OIDC protocol (correct me if I am wrong, not an expert !), a configurable claim (aka not hardcoded) would be very useful to retrieve groups membership experience of SAML !

Thanks for listening

Re: OpenID Connect group membership

jmp601 — Wed, 23 Aug 2023 15:39:35 GMT

Voicing my support for this feature too! This would be tremendously helpful as we do this with a lot of other vendors already. It allows our cloud SA's to manage groups in our Azure tenant which will map them all to the appropriate group in the ESRI world.

Re: OpenID Connect group membership

Martin1 — Wed, 20 Sep 2023 07:50:08 GMT

We would be interested in OpenID Connect, but will stay with SAML as long as group memberships are not available.

Re: OpenID Connect group membership - Status changed to: Implemented

MaggieBusek — Thu, 12 Sep 2024 14:36:38 GMT

Thank you for your Idea! This is now implemented in ArcGIS Enterprise.

Re: OpenID Connect group membership

NicolasGIS — Thu, 12 Sep 2024 15:45:34 GMT

Fantastic news @MaggieBusek ! Thanks for listening.

Does that mean that it will be available at 11.4 ?

Re: OpenID Connect group membership

MaggieBusek — Thu, 26 Sep 2024 20:09:04 GMT

@NicolasGIS This was implemented in Enterprise 11.3!

Re: OpenID Connect group membership

AngusHooper1 — Thu, 26 Sep 2024 23:39:08 GMT

@MaggieBusek can you link to the documentation that outlines how to configure this? Cheers.

Re: OpenID Connect group membership

NicolasGIS — Fri, 04 Oct 2024 10:10:28 GMT

True, it does not seem to be documented yet for ArcGIS Enteprise but it is for ArcGIS Online:
https://doc.arcgis.com/en/arcgis-online/administer/openid-connect-logins.htm

Step 15:

Optionally, toggle the Enable OpenID Connect login based group membership button to allow members to link specified OpenID Connect-based groups to ArcGIS Online groups during the group creation process.

This step is missing from ArcGIS Enterprise 11.3 documentation:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/openid-connect-logins.htm

But running 11.3, I confirm I do see the same option as in ArcGIS Online.

Re: OpenID Connect group membership

NicolasGIS — Fri, 04 Oct 2024 11:32:59 GMT

From my first testing, I faced an issue with header size since I activated it. I don't know why, but Portal for ArcGIS is setting this "oidcRelayState" cookie on "signin" last operation:

`sharing/rest/oauth2/oidc/xyz/signin`

and in my case, after having turn this OIDC group membership, it turns out that this cookie is massive and my header is greater than 40 KB afterward and got rejected by HAProxy. I increased the header size limit and it now works but it seems to me that my groups are stored in this cookie which is not a good practice according to my IT team. Any idea why are the groups stored in this cookie at the end of the auth process ? It seems to me this cookie is much more than a 'classic' relayState and also there is no state to manage at this stage as interaction with IDP is over 🤔

Might open a dedicated thread rather than polluting this implemented idea !

Re: OpenID Connect group membership

MaggieBusek — Fri, 06 Dec 2024 17:23:38 GMT

@AngusHooper1 We document support for OIDC groups here.

@NicolasGIS Thank you for noting that we don't include this information on the documentation page you linked. We will work to update that page to reflect this change.

For your other feedback, if you wouldn't mind creating a dedicated thread that would be great. Thank you!