topic Re: Migrate/Convert ArcGIS Users to SAML in ArcGIS Online Questions

Migrate/Convert ArcGIS Users to SAML

ChrissyRothgeb — Thu, 11 Mar 2021 14:38:06 GMT

While our primary ArcGIS Online Org has used SAML logins for quite some time, we've had a secondary AGOL as well as an on-prem Portal that have used ArcGIS user accounts for some time before implementing SSO on them. Thus, we have many existing ArcGIS accounts, and those have identical names to their SAML counterparts because we'd gone with a similar naming convention early on ("username_org"). So we cannot simply have existing users log into the org using their SAML account because of the conflict.

My question is this: is there any way to convert an ArcGIS Online account (or local Portal accounts) to SAML type? I'm happy to do this using Python APIs if needed (I can see no way to do this through the web interface). If not, what is the best solution? Is it better to keep the old accounts and just have new users utilize SSO, or should I try and transfer data for each user to a temporary holding account, delete the original, then transfer to the SAML login once the user has gone through SSO once? Or is there a better way I haven't considered?

I'm just curious if anyone else has gone through this before. I'm not seeing anything about it on the web or forums, though maybe I'm just looking for the wrong search terms. Thank you for any suggestions or insight!

Re: Migrate/Convert ArcGIS Users to SAML

PeterKnoop — Thu, 18 Mar 2021 15:51:01 GMT

If you want to automate this process with the ArcGIS API for Python, then you might start by programmatically creating the enterprise accounts. If you have their firstname, lastname, and idpusername, then you can use gis.users.create, along the lines of:

user = gis.users.create( username = 'pat_org', # The user's username according to your idp, combined with the shortname for your ArcGIS Online organization. password = 'None', firstname = 'Pat', lastname = 'Smith', email = 'pat@somecollege.edu', role = 'org_publisher', provider = 'enterprise', idp_username = 'pat', # The user's username according to your idp. level = '2', user_type = 'GISProfessionalAdvUT' )

If you're using New Member Defaults, then you should double-check that the account you created above is provisioned with settings you are expecting. For various versions of the ArcGIS API for Python, gis.users.create has failed to honor some of the New Member Default settings. In which case you could add some more to your script to programmatically deal with what got missed (e.g., allocate credits, enable Esri Access, assign licenses.)

Also, you can only chose from the default roles when specifying the role for gis.users.create. If you use a custom role for your users, then you could add a next step that changes the user's role to that custom role.

After you have created the new account, then you can also script changing the ownership of all of the user's items and groups from their old arcgis account to their new SAML/enterprise account.

If you have a lot of users with a lot of content/groups to move, then you probably want to schedule some downtime for your system and inform the impacted users well in advance. During that downtime, while you are running your script to create the accounts and change ownership, you might want to temporarily disable the ability of those users to login, and then re-enable it when you are all done; you don't want them accidentally changing things in the middle of the process.

Re: Migrate/Convert ArcGIS Users to SAML

ChrissyRothgeb — Thu, 18 Mar 2021 18:00:58 GMT

Awesome - thank you! I may very well use this approach. Is there any way to actually convert the accounts from AGOL to SSO under the hood? Unfortunately, the old names will conflict with the new due to us being "proactive" in our account naming. Ah, the best laid plans...

Re: Migrate/Convert ArcGIS Users to SAML

PeterKnoop — Thu, 18 Mar 2021 18:36:05 GMT

Sorry! I missed that part. I am not aware of a way to convert an accounts type.

We did have a few like that in the early days, as we didn't understand the naming convention at the time either. We ended up creating a temporary arcgis account, changing ownership of the user's items/groups to the temp account, deleting the user's arcgis account, creating the user's enterprise account, and changing ownership once more on everything to the user's enterprise account.

Re: Migrate/Convert ArcGIS Users to SAML

Thomas_Puthusserry — Fri, 28 Feb 2025 14:48:24 GMT

We are in a similar situation and would like some guidance on this.

@PeterKnoop any suggestions would be very helpful.

1. We have over 350 users to migrate in AGOL (currently all of them have built-in user name). This is not with email so the new SAML account will be different.

2. Is there a way the user's account IdPUsername can be updated to use the new username via Python API? For example, there is an option to do this in Enterprise: https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user/

3. What is the best option to migrate the contents / access to groups etc?

Is there any python scripts available which can be used to migrate?

Re: Migrate/Convert ArcGIS Users to SAML

CityofAikenGISAdminAccount — Fri, 25 Jul 2025 17:50:24 GMT

Thomas - did you get this figured out? We have AGOL sign on for all of our accounts, and just enabled SAML yesterday. I'm looking to do exactly what you were talking about. I see the documentation and it seems to apply to enterprise (update enterprise user) and I'm wondering if it can be applied in AGOL as well. The only other option I'm seeing is to create all new users and migrate content. From what I've read in the forums thus far, there seems to be the potential for things not all being migrated to look exactly the same (maps with layers, etc.). I'm concerned bc we have users with many folders containing content, many apps referencing maps (of course), and most maps with multiple layers, and all with different types of sharing enabled. So... many levels of complexity to contend with.

Any thoughts, experiences, or advice you'd be willing to share would all be helpful.

Thank you.

Re: Migrate/Convert ArcGIS Users to SAML

CalvinHarmin — Tue, 18 Nov 2025 23:10:17 GMT

Checking in with identical use case:

We've got Azure AD SSO enabled for ArcGIS Online. We're in a testing phase. I've hit a fork in the road...

We are already using the naming convention for AGO usernames where it follows our Town email base name, which is first initial / last name, follow by _tofv , since that's our AGO tenant short name.

Example in my case: charmin_tofv

That's what we want to continue to use, but upon first Azure AD SSO login, there is not a method I can find to 'map' the existing user to the Azure AD login. So on AGO side it creates, for example, a new charmin_tofv2 user automatically.

Can anyone confirm if there is still no viable a method of 'mapping' Azure AD to existing accounts like this, so we don't have to wipe out and recreate users? That process also breaks any collaboration invites they may have had, aside from the content migration issue.

Re: Migrate/Convert ArcGIS Users to SAML

CityofAikenGISAdminAccount — Wed, 19 Nov 2025 14:10:26 GMT

Calvin

I started implementing SAML, didn't have a chance to move content at the time. SAML worked for testing purposes for logins to be auto-generated. However I've not found any way to map new SAML users (batch generated or generated at login) to existing users. The only thing I've found (I'll be circling back to this project VERY soon to test/implement) is to use Python and some ESRI samples and some scripts I found while scouring and am putting together as much capability as possible to truly transition content. I've seen multiple examples where (in reading a script sample from ESRI or one a user shared) I could see it would do a portion of the work, but not all. Some examples include transfer ownership of items (maps, layers, etc.) but dump it all into their main user folder, or add the new user to the same groups but not set the permissions (e.g. make them a manager of the group, etc.), and surely other things like add-on license assignment, etc. Frankly, it is a scary thing with the level of complexity and associated relationships between users and items and permissions and properties that I'm sure during the actual full-on transfer I will miss/drop something.

I'm not liking this at all.

Re: Migrate/Convert ArcGIS Users to SAML

CalvinHarmin — Wed, 19 Nov 2025 18:23:53 GMT

I am also working on a similar thing with ArcGIS Python API, so I can collate all existing relevant user info for licensing (arcgis pro), groups, user level, roles, etc. So hopefully I can re-apply all of that to the new user automatically once I start nuking accounts and restoring them after SSO-login occurs.

Re: Migrate/Convert ArcGIS Users to SAML

CityofAikenGISAdminAccount — Tue, 02 Dec 2025 21:46:35 GMT

Calvin - how is your progress?

I was thinking about your scenario. It sounds like you already did a sample test (when it created the charmin_tofv2). It looks like we can bulk load users, including specifying the user name, email, etc. Did you try that (even with one user) or was the new user created dynamically on first login?

I'm still stepping through code from multiple scripts I've found to try and make sure I don't miss anything. In the process, I've come up with a few scenarios I am concerned about:

If editing of a layer is set so that only the person who created the feature can edit it, is there a way to "reassign" those features to the new SAML identity for the person? I'm concerned the answer is no, and how to manage such things
What about any favorites, ESRI community posts, training records, etc. that are associated with the original login? For favorites, I don't think there's much that can be done. For the ESRI community posts and training, I would think we can't directly transfer it, but might be possible to work with ESRI in order to transition the ESRI-maintained account info to add it to their new profile... but I'm not sure

Any thoughts on this or any other "aha" things that need to be examined more deeply?

Re: Migrate/Convert ArcGIS Users to SAML

CalvinHarmin — Wed, 03 Dec 2025 14:35:13 GMT

After we established our proof of concept after setting up the Azure SAML settings, I put a pin in the project temporarily as we have had to tackle some other projects. So unfortunately I don't have much in the way of further testing or "aha's" to share.

But on my end I did notice some new avenues for testing:

When you have a SAML login configured and enabled, you will see some new options for adding users. One of these is :
- This lets you send an email to individual users, or any number of users via a list (CSV) with the fields of Email, Role, and User Type, that you can specify.
- The user gets an email with a link to basically log in with only the SAML login option and you can pre-configure the Role and User Type with CSV, or, individually, you can go ahead and configure the normal new user options for Add-On licenses, groups, etc.
- However, after you invite with this method, the user account doesn't automatically show up in the Members list. The user only shows up after the user logs in. So I'm not sure how much that helps besides just notifying the user that they should login. You would still have to transfer content, assign groups and licenses if you didn't already, etc.
- Regarding Transfer Content, there is an interesting new option I didn't notice before where you can 'Transfer member' (limited documentation) from one existing member account to another account. This includes the ability to transfer user Type, Role, and add-on licenses, and Content! However, strangely... it doesn't seem to transfer the user's group assignments to the other user in my quick test. So that may need some testing to see the limitations of what is- and isn't- transferred.
- I have heard elsewhere that ESRI support may be able to help transfer ESRI community and training records, but I don't know if that's true or how that would work if you have many users you want to transfer records like that.

So, in conclusion... you may have the best experience if you can retain your existing user accounts, and have the SAML login create a different username. Then you could at least perform certain 'transfer' options from one user to another, but again it doesn't seem to be complete in terms of tranferrring everything 😞 So that would need some more testing.

Re: Migrate/Convert ArcGIS Users to SAML

CityofAikenGISAdminAccount — Thu, 04 Dec 2025 17:11:24 GMT

Good find! I hadn't found the "transfer member". I'll have to look at that a bit more. Like you, I also found the additional "add member" options once activating SAML. I've tested "invite members to join using their org specific logins"... this worked fine, but like you indicated, you have to wait for them to login to do anything (assign groups, permissions, etc.). I also tested "add members using their org specific ID without sending invite" - that actually worked really slick. I created a new user using this method, and followed the naming convention used by our SSO. Once created, I used scripts to set role, license type, and group assignments based on the pre-existing user (the user is a field editor, so no owned content to transfer). This worked very well. This way I was able to do what I needed to, not needing to wait on them, and they didn't need to wait on me either.

I did find one additional thing that I'm toying with before working on migrating users with content... update enterprise user to update the idpname. https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user/ I did a quick search and couldn't tell if this was exposed for AGOL orgs or just enterprise portal, so I put in a tech support ticket to get some advice. I also want to see if there is a way via python to set this property for named users (even if only in portal this could help) if it is a property that exists but is not populated for named users. I can't imagine they made a completely different class for users generated via SAML/SSO versus named users. Just a playing around kind of idea. Not sure if it will get traction or not.