Community
Select to view content in your preferred language

ArcGIS Enterprise Centrify SAML Group Integration

2419
3
07-08-2020 03:00 AM

ArcGIS Enterprise Centrify SAML Group Integration

To integrate Centrify with ArcGIS Portal, we not only need config ArcGIS Portal, but also need config the attribute mapping in Centrify. If you want your Portal Group could integrate with SAML group, you have to pass the group attribute from Centrify response. The important mapping as below.

 

Once you have the above attribute mapping, you could check the response which would similar as below.

 

 

Once your ArcGIS Group integrates with the SAML group, you could find the SAML group from “My group” if you are a member of it.

 

If you want to get more attribute from Centrify, please refer to

https://docs.centrify.com/Content/IntegrationContent/Idaptive/idaptive-integration-steps.htm

https://docs.centrify.com/Content/Applications/AppsCustom/CustSamlApps.htm

David Hoy

Tags (2)
Comments
DavidHoy
by Esri Contributor
Esri Contributor
‎07-29-2020 05:11 PM
‎07-29-2020 05:11 PM

Thanks for this Bing,

could you perhaps add a bit more detail, recognising that not every Centrify installation will be using the same fields for the information required by ArcGIS Enterprise. 

ArcGIS (whether AGOL or Enterprise) requires a set of attributes within a SAML response:

  • "NameID"  (this can be a string even though it sounds like it may be a number - this becomes your User Name in the portal - The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be converted to underscores in the user name created within the portal.
    • if you wish to align your user accounts in AGOL with user names in your own ArcGIS Enterprise, you need to have ArcGIS Enterprise add a suffix that is the AGOL Organisation's "short name" - this can be set in the defaultIDPUsernameSuffix property in the ArcGIS Enterprise portal's security configuration
  • "Email" or "Mail" - the user's full Email Address
  • "GivenName" (which may be the full name - depends what your organisation wants to see in the Portal's pages)
  • "Surname" (added at 10.8 as an optional separate field)
  • "Group" (can be a collection of group names of which the user is a member) - you dont have to create Portal Groups for every Group in this list, just the ones that are relevant to your site.

When configuring the response Centrify sends to ArcGIS when a User authenticates,  Centrify administrator is able to map the internal attribute names (e.g. LoginUser.Email) to the"attributes" in the response (e.g. Email in your example).

In Centrify's case, you need to check which of the inbuilt attributes are suitable to map to the "Groups" attribute in the response. As you show, there are two potential candidate attributes LoginUser.RoleNames or LoginUser.GroupNames - for your site, you chose GroupNames but this may be different at other sites.

Alber_Verster
by Esri Contributor
Esri Contributor
‎10-26-2020 04:34 PM
‎10-26-2020 04:34 PM

Thank you Bing, good work.

ahargreaves_FW
by
Regular Contributor
‎10-21-2021 06:48 AM
‎10-21-2021 06:48 AM

Hello

 

In a related-but-unrelated issue we are facing an issue whereby we can't correctly pass the idaptive SAML attribute for "surname " into Portal 10.6.1. 

We can easily pull it from iDaptive and include it in the SAML response using LoginUser.LastName

But no matter what we term this attribute portal fails to accept it. We've tried the following:

  • surname
  • Surname
  • surName

If anyone has successfully configured iDaptive against Portal please let us know.

Thanks

#idaptive  #SAML #enteprise #portal10.6.1

Version history
Last update:
‎07-08-2020 03:00 AM
Updated by:
Anonymous User
Contributors