Select to view content in your preferred language

Support for Multiple Simultaneous SAML and/or OIDC Identity Providers in ArcGIS Enterprise

84
1
5 hours ago
Status: Open
ValeskaKolligs
Emerging Contributor

Category: Security / Authentication / Identity Management

Current Limitation:
ArcGIS Enterprise currently supports only one SAML identity provider (IdP) and one OIDC identity provider configured at the same time at the organization level.

Use Case / Role & Context:
As an ArcGIS Enterprise administrator, I need to authenticate distinct user populations against different identity providers within the same organization — for example:

  • Internal staff via a corporate SAML or OIDC IdP for SSO,
  • priviledged internal staff for Administration via a corporate SAML or OIDC IdP with 2FA,
  • External users via a federated government identity scheme (e.g., AGOV/SwissID in Switzerland) for public-facing or partner access.

Because only one SAML and one OIDC IdP can be active at a time, organizations with multiple legitimate identity sources are currently forced to either consolidate incompatible user populations behind a single IdP, or deploy separate ArcGIS Enterprise organizations solely to work around this limitation — which significantly increases licensing, infrastructure, and administrative overhead.

Proposed Solution:
Allow ArcGIS Enterprise to register and operate multiple SAML and/or multiple OIDC identity providers simultaneously at the organization level, similar to capabilities already available in modern IAM/CIAM platforms (e.g., Azure AD B2C, Auth0, Keycloak, Okta).

Impact / Business Value:

  • Avoids unnecessary duplication of ArcGIS Enterprise infrastructure purely to work around authentication constraints.
  • Enables secure onboarding of external users via national/government identity federation schemes without compromising internal SSO architecture.
  • Supports organizations with multiple legitimate identity domains (internal, external, partner) within a single Enterprise deployment.

Current Workaround:
None available other than deploying separate ArcGIS Enterprise organizations, which is costly and operationally complex.

1 Comment
JoshuaBixby

I can't endorse/support this idea enough, any enterprise platform today needs to support multiple identity providers of the same type.