topic Re: Converting authentication from unique ArcGIS online users to Enterprise Azure AD users in ArcGIS Enterprise Questions

Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

ChipSmith09 — Wed, 26 May 2021 19:00:17 GMT

Currently we're using ArcGIS online and using our domain email addresses with unique passwords to login. We're attempting to convert to Azure AD authentication. I'd like to match the Enterprise usernames to the usernames we're currently using, however I'm not sure what/where I need to do this.

I've gotten the SAML link to work in the Azure AD Enterprise Apps, however when logging into ArcGIS enterprise with my AD creds, I get an error:

"Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site. IdpUsername: 'user@mydomain.com' Username: 'user@mydomain.com_MyCompanyShortname'"

user@mydomain.com is an existing user account in ArcGIS online. I assume I need to update the User attributes & claims in my Azure AD Enterprise App to pass along this info? I'm not sure what I need to do and the help documentation isn't entirely clear.

Help documentation in question: https://enterprise.arcgis.com/en/portal/latest/administer/windows/configuring-a-saml-compliant-identity-provider-with-your-portal.htm#ESRI_SECTION1_1E9996AB78AD47F7BE14B7DD5598BE2F

Any help would be greatly appreciated!

Re: Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

JCGuarneri — Fri, 01 Apr 2022 18:06:37 GMT

Did you ever come up with a solution? We're going through this process now and running into pretty much the same issue. Our existing Enterprise users are all in the format doej@domain (or domain\\doej), but Azure sends the username as john.doe@domain.com If we allow users to create an account without invitation, they are able to login, but it creates a brand new username. If push comes to shove, we can just get rid of all the old users and add new ones, but it would be nice if we can avoid that.

Re: Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

KevinCutsforth — Fri, 18 Nov 2022 19:55:12 GMT

I am currently going through the exact same issue as the original post, and I agree there is virtually no supporting documentation for how to resolve this issue. @ChipSmith09 were you able to get this working? I'd love to know how to get it resolved.

Re: Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

Scott_Tansley — Fri, 18 Nov 2022 21:35:02 GMT

You can't link them. You need to recreate each user, as a SAML2 user, transfer any permissions/content and then deprecate the old user. I believe there are example scripts online and also potentially third party admin tools that can help with the migration.

Re: Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

JCGuarneri — Mon, 21 Nov 2022 13:15:27 GMT

I agree with @Scott_Tansley . We ended up doing it in batches, so I wrote a script that took the old username, email address, first name, and last name as a csv input. It created each new user with the email address, then transferred items, groups, permissions, etc. to the new user, and finally deleted the old user. It wasn't too hard to set up, and a good opportunity to get to know the admin module of the Python API.