idea Multiple SAML logins within both ArcGIS Enterprise and AGOL environments in ArcGIS Enterprise Ideas https://community.esri.com/t5/arcgis-enterprise-ideas/multiple-saml-logins-within-both-arcgis-enterprise/idi-p/1638692 <P>We administer both ArcGIS Enterprise (11.4) and ArcGIS Online environments, supporting hundreds of users from federal, state, and local government agencies.</P><P>Currently, we're facing challenges due to the use of different authentication services. Our setup utilises SAML authentication tied to the federal agency’s identity provider, which leaves state and local agencies reliant on built-in ArcGIS accounts.</P><P>This reliance on built-in accounts has led to considerable administrative overhead, particularly when enforcing multi-factor authentication (MFA), which requires disabling and re-enabling accounts. Additionally, there's an ongoing security concern: when users depart their agencies, we aren’t consistently notified, leading to accounts remaining active and unauthorized access lingering.</P><P>We’re curious to know if others have encountered similar issues, and whether any alternative workflows have helped streamline identity management in comparable multi-agency environments.</P> Wed, 06 Aug 2025 00:55:37 GMT MichelleAlley 2025-08-06T00:55:37Z Multiple SAML logins within both ArcGIS Enterprise and AGOL environments https://community.esri.com/t5/arcgis-enterprise-ideas/multiple-saml-logins-within-both-arcgis-enterprise/idi-p/1638692 <P>We administer both ArcGIS Enterprise (11.4) and ArcGIS Online environments, supporting hundreds of users from federal, state, and local government agencies.</P><P>Currently, we're facing challenges due to the use of different authentication services. Our setup utilises SAML authentication tied to the federal agency’s identity provider, which leaves state and local agencies reliant on built-in ArcGIS accounts.</P><P>This reliance on built-in accounts has led to considerable administrative overhead, particularly when enforcing multi-factor authentication (MFA), which requires disabling and re-enabling accounts. Additionally, there's an ongoing security concern: when users depart their agencies, we aren’t consistently notified, leading to accounts remaining active and unauthorized access lingering.</P><P>We’re curious to know if others have encountered similar issues, and whether any alternative workflows have helped streamline identity management in comparable multi-agency environments.</P> Wed, 06 Aug 2025 00:55:37 GMT https://community.esri.com/t5/arcgis-enterprise-ideas/multiple-saml-logins-within-both-arcgis-enterprise/idi-p/1638692 MichelleAlley 2025-08-06T00:55:37Z Re: Multiple SAML logins within both ArcGIS Enterprise and AGOL environments https://community.esri.com/t5/arcgis-enterprise-ideas/multiple-saml-logins-within-both-arcgis-enterprise/idc-p/1638768#M4296 <P>I know some people utilising <A href="https://www.keycloak.org/" target="_blank">Keycloak</A> as unified login page.</P><P>When a user attempts to log in, they hit Keycloak’s login page. Keycloak routes them to their respective agency IdP, based on a login hint, email domain, or user selection. Once authenticated upstream, Keycloak asserts the user’s identity to ArcGIS.</P> Mon, 04 Aug 2025 13:17:51 GMT https://community.esri.com/t5/arcgis-enterprise-ideas/multiple-saml-logins-within-both-arcgis-enterprise/idc-p/1638768#M4296 SimonSchütte_ct 2025-08-04T13:17:51Z