My company has a federated single sign on with ArcGIS Online, and I'm unable to authenticate with AGOL and the Python API.
gis = GIS(agolUrl, userName, password)
This line will throw an exception, "Unable to generate token. Invalid username or password." The values for "userName" and "password" are my normal AGOL logins - these will work when logging into the AGOL homepage in my browser. I'm able to log in using my personal account (this one), and query content with the GIS() module. How do I authenticate via the Python API using my account that is a federated login from my company?
After speaking with Esri tech support, they informed me that enterprise logins for ArcGIS Online are not currently supported by the Python API. No timeline was given for implementation of this feature, but I was informed there is an enhancement request open. I will leave this post here for future reference for anybody else with the same inquiry.
Enterprise logins (and all types of logins) are supported in the version that went out last week (v1.2). For OAUTH/SAML, you need to pass in the URL and the client_id parameter in the GIS constructor.
Do you have any additional information? The tech support person I spoke with made no mention of this.
We will update the guide page Working with different auth systems with instructions and put a note here when it goes live.
The ArcGIS API for Python acts as a 'serverless native application' when using OAuth 2.0 authorization with ArcGIS.
To be able to log in using OAuth 2.0, you need to follow the workflow described below:
Example code:
test_client_id = 'OGz1I2eoO8dO0ii2'
gis = GIS('https://deldev.maps.arcgis.com', client_id=test_client_id)
gis.users.me
If your configured identity provider is compatible, you can even pass in your login credentials for a non-interactive login workflow:
gis = GIS('https://deldev.maps.arcgis.com', 'your-username', 'your-password', client_id=test_client_id)
(Additional info: This is using "Mobile and Native Named User Login" workflow described at https://developers.arcgis.com/documentation/core-concepts/security-and-authentication/mobile-and-nat...)
Hi Rohit,
Thanks for this. Got more question on the API. I want to try the non-interactive scripting of connectivity to portal, so im following this sample, but populated with parameters relevant to my environment:
gis = GIS("https://python.playground.esri.com/portal", username="arcgis_python", password="amazing_arcgis_123", client_id='f8cRxbP3NO8bf9ag') print("Successfully logged in as: " + gis.properties.user.username)
This does not work right away as i suspect there might be issues with my IDP - i still am prompted to log in to my portal/IDP button needs to be clicked and i get the SAML code OK.
What makes me wonder is the syntax of URL produced that i am supposed to follow:
https://<portalhost>.com/portal/sharing/rest/oauth2/authorize?user_orgkey=&username=MYUSER&password=MYPASSINPLAINTEXT&oauth_state=<SOMELONGCODE>
Is there documentation on syntax of this rest/oauth2/authorize endpoint that would list all params it takes? I found this
Authentication—ArcGIS REST API: Users, groups, and content | ArcGIS for Developers
but does not mention username or password etc
Would you know in particular how to allow username/pass enabling for OKTA (or is it comatible)?
If not, what options to look for other IDPs so perhaps we could try to figure out OKTA please?
Regards,
Szymon
Hi Rohit,
I got a conflicting information from the Esri Tech support that Enterprise log-in is still in product plan today (current version is 1.4.2). This contradicts your comment that all types of log-in are supported at version 1.2. Which is true?
HI @RohitSingh2 and @Anonymous User,
I have a special use case right now and can't find a way to connect with the Python API. We intend to create daily adminstrative workflows with the API which would run as scheduled tasks.
It's an Enterprise LogIn where the Active Directory is hosted in the Azure Cloud meaning that there is no domain name to enter like in the example for Portal-tier authentication with Active Directory. Additional in this architecture there is an ID Broker which takes care of the logging in to the AD meaning that a normal sign in to Portal produces an extra, non-esri window to choose which AD user to sign in with. I wonder how my Python script can know about or work around this step.
We have considered using the OAuth2.0 App though IT is concerned about saftey issues if the Client Id falls into the wrong hands since it would give access to all the content and admin capabilities of the user it is registered under. Is there a recommended way to take care of this? Should all items be accessed using a token like in the last examles at the end of this Rest API Documentation? Furthermore, using OAuth 2.0 with SAML opens the login window followed by "OAuth2 approval" where a code has to be actively copied and given in the CMD or Notebook - I can't see how we would do this in script that is run automatically.
Just as additional information: when we sign in to ArcGIS Pro using the Enterprise user and then run gis=GIS("Pro"), the login is successful. Unfortunately we cannot count on opening Pro periodically to renew the token for the admin scripts in a production environment.
Would the ArcGIS Notebook Server be a possible solution to this issue? Can I run a daily task as an Enterprise user or even Built-In user with admin privileges? I haven't used it myself yet.
Thank you in advance and best regards!
Daniel
I ran into the same issue and found a solution using Python (using BeautifulSoup library) to automate the interactive log in page to ultimately generate a access a token.
Alternatively, ESRI recommends a non-interactive login which basically uses the built-in login to authenticate.