topic Re: Azure Active Directory integration with ArcGIS Online in ArcGIS Enterprise Questions

Azure Active Directory integration with ArcGIS Online

AhmadSALEH1 — Mon, 17 Aug 2020 20:43:38 GMT

Hi All,

I am trying to set the identity provider in ArcGIS Online to use Azure Active Directory to configure ArcGIS Online Single Sign-On.

I found this tutorial that walks-through the process:

Tutorial: Azure Active Directory integration with ArcGIS Online | Microsoft Docs

while the documentation perfectly outlines the steps, it is still unclear to me How ArcGIS Roles "Groups" and User levels works.

Is ArcGIS users groups will be managed by the AD groups “the groups need to exist in the Active Directory” in order to use them and place users in that group. Or we still can utilize the native and custom groups in ArcGIS online?

The reason I am asking, is because I have a lot of custom groups that I keep in ArcGIS Online environment but I don't want them to be created in AD :

Admin, Editor, Viewer, Editor Limited, Site A Data Download Only, Site A Data Viewer Only.

Re: Azure Active Directory integration with ArcGIS Online

ChristopherPawlyszyn — Mon, 17 Aug 2020 22:07:08 GMT

Hello Ahmad SALEH‌,

When configuring a SAML identity store in your ArcGIS Online organization, you have the option to control group membership based on the groups that are listed in users' SAML assertions when authenticating with the identity provider, but that does not mean that you cannot use built-in groups as well. The plus side of managing the group membership in Azure AD is you only have to update one location to modify access to both AD-based resources as well as ArcGIS Online resources within that group. If you choose to implement enterprise groups using your identity provider, you'll need to make sure the group assertion claim is reaching ArcGIS Online from the identity provider since that is how users join the groups automatically.

Create groups—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Let me know if you have any additional questions!

Re: Azure Active Directory integration with ArcGIS Online

AhmadSALEH1 — Tue, 18 Aug 2020 13:32:40 GMT

Awesome, Thanks Chris.

so to summarize, for the user groups, I can use either AD groups or ArcGIS Online built in groups.

Does that apply to users Roles and user types too?

also, one more question, what happens to the current/existing users I assume that they will still be able to use the ArcGIS Online Login, right ? is there a way to switch them all to SAML login or this needs to be done manually for every user.

Thanks a lot,

Ahmad

Re: Azure Active Directory integration with ArcGIS Online

ChristopherPawlyszyn — Tue, 18 Aug 2020 13:56:54 GMT

User types and roles exist outside of the user's identity store, so the new user defaults would apply upon the first sign-in of an enterprise account when automatically added.

There is an option when configuring the enterprise logins to allow both authentication methods (SAML and ArcGIS) or allow only enterprise logins. Typically when a customer is wanting to implement enterprise logins in an established organization the recommendation is to allow some users to login with their new enterprise account, set the user type, role, and group membership for that new user to match their existing built-in account, then transfer all owned items from the built-in account to the new enterprise login account. If you find yourself short on additional user licenses, you can do this in batches until everyone is migrated to the new enterprise logins. Once all users are migrated to the enterprise logins, you could disable the built-in authentication option if you desired to.

Re: Azure Active Directory integration with ArcGIS Online

Mannus_Etten — Wed, 23 Feb 2022 12:21:44 GMT

interesting question.

I configured it as well and it is not working: AADSTS500113 No reply address is registered for the application.

I used the enterprise application tempate ArcGIS Online...