Community
Select to view content in your preferred language

OpenID Connect group membership

1201
10
11-21-2022 02:29 PM
Status: Implemented
AngusHooper1
by
Frequent Contributor

SAML identity providers integrated with ArcGIS Enterprise can support group membership. Similarly, it would be great to support OIDC backed group membership through calls to a groups or memberOf (etc) property.

Tags (3)
10 Comments
sodtom
by
‎11-22-2022 01:20 AM

Even this is NOT a part nor compliance with current OIDC standard scopes / claims, this is feature that has been asked from several ArcGIS clients. Adding support for custom or enhanced scopes / claims like groups would be very helpful.

NicolasGIS
by
‎11-29-2022 03:51 AM

+1 !

As it is does not seem to be standard to OIDC protocol (correct me if I am wrong, not an expert !), a configurable claim (aka not hardcoded) would be very useful to retrieve groups membership experience of SAML !

Thanks for listening 

jmp601
by
‎08-23-2023 08:39 AM

Voicing my support for this feature too! This would be tremendously helpful as we do this with a lot of other vendors already. It allows our cloud SA's to manage groups in our Azure tenant which will map them all to the appropriate group in the ESRI world. 

Martin1
by
‎09-20-2023 12:50 AM

We would be interested in OpenID Connect, but will stay with SAML as long as group memberships are not available.

MaggieBusek
by Esri Contributor
3 weeks ago
Status changed to: Implemented

Thank you for your Idea! This is now implemented in ArcGIS Enterprise. 

NicolasGIS
by
3 weeks ago

Fantastic news @MaggieBusek ! Thanks for listening.

Does that mean that it will be available at 11.4 ?

MaggieBusek
by Esri Contributor
a week ago

@NicolasGIS This was implemented in Enterprise 11.3!

AngusHooper1
by
a week ago

@MaggieBusek can you link to the documentation that outlines how to configure this? Cheers.

NicolasGIS
by
Sunday

True, it does not seem to be documented yet for ArcGIS Enteprise but it is for ArcGIS Online:
https://doc.arcgis.com/en/arcgis-online/administer/openid-connect-logins.htm

Step 15:

Optionally, toggle the Enable OpenID Connect login based group membership button to allow members to link specified OpenID Connect-based groups to ArcGIS Online groups during the group creation process.

This step is missing from ArcGIS Enterprise 11.3 documentation:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/openid-connect-logins.htm

But running 11.3, I confirm I do see the same option as in ArcGIS Online.

NicolasGIS
by
Friday

From my first testing, I faced an issue with header size since I activated it. I don't know why, but Portal for ArcGIS is setting this "oidcRelayState" cookie on "signin" last operation:

`sharing/rest/oauth2/oidc/xyz/signin`

and in my case, after having turn this OIDC group membership, it turns out that this cookie is massive and my header is greater than 40 KB afterward and got rejected by HAProxy. I increased the header size limit and it now works but it seems to me that my groups are stored in this cookie which is not a good practice according to my IT team. Any idea why are the groups stored in this cookie at the end of the auth process ? It seems to me this cookie is much more than a 'classic' relayState and also there is no state to manage at this stage as interaction with IDP is over 🤔

Might open a dedicated thread rather than polluting this implemented idea !