10.3.1 Create a Group when using SAML2

2372
2
Jump to solution
12-30-2015 04:00 PM
ScottTansley
New Contributor II

Hi,

I'm working with an organisation that has implemented Portal for ArcGIS 10.3.1.  They are using ADFS and, therefore, SAML2 technologies for authentication.  This works great for logging users into the system.  Now they want to create groups in Portal that 'map' to Enterprise groups, so that they do not have to manually add members to a Portal group.  I know how to do this with 'Integrated Windows Authentication' (IWA), but I cannot find a way to do it with SAML2.

I have read the following page:

Create groups—Portal for ArcGIS (10.3 and 10.3.1) | ArcGIS for Server

which hints at the fact that this can be done.  My guess, though, is that this article relates to IWA.  I do have Administrator rights in the Portal and so I have rights "to link built-in groups to enterprise groups" but I just cannot find the options to do it.


Any advice would be greatly appreciated.


Regards,


Scott

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
JakeSkinner
Esri Esteemed Contributor

Hi Scott,

Did you provide metadata about the enterprise groups in the Portal Administrator Directory?  See step 5 in the below link:

http://server.arcgis.com/en/portal/latest/administer/windows/configure-adfs.htm

View solution in original post

2 Replies
JakeSkinner
Esri Esteemed Contributor

Hi Scott,

Did you provide metadata about the enterprise groups in the Portal Administrator Directory?  See step 5 in the below link:

http://server.arcgis.com/en/portal/latest/administer/windows/configure-adfs.htm

ScottTansley
New Contributor II

Hi Jake,

Apologies for delay in coming back to you.  This is really useful, thank you.  I was unaware of this, and I can see how in many cases this would be the answer to the problem as it exists.

There is a bit of a story here:

The organization has implemented SAML2 authentication to unify groups from different organizations.  The 'organization' is a consolidation of former government departments.  A business group will now be formed of users from different government agencies.  Each of which log in to a different AD.  These AD's have been trusted (as a tree).  But a business group will be defined in multiple AD's if that makes sense.  The complexity of this is a nightmare for the 'newly born' organization.  So they use SAML2 to pull users together and they can create 'Groups' in ADFS that are independent of the AD.  This allows a single ADFS group to be created to cover all the historic AD users.  It streamlines and simplifies there user management.

So in essence, their groups are in ADFS and not the AD.  I would imagine that there is a bespoke 'component' that they are using to manage this.  I can clarify this.

From the link that you have provided, I see that even though ADFS is being used, the groups in Portal are being created by a 'direct connection' to the AD itself, and only one AD can be referenced?  For the reasons described above, this will not work in this organization.   Could I ask you to confirm that this assumption is correct, and are there any known workarounds that I may use?

I appreciate that the customer is working in a non-standard way, and Portal for ArcGIS may not have been designed to support this method.  Having a clear answer would be good to discuss with the client.

Many thanks for your previous response, and for any assistance you can provide with the above.

Kind Regards,

Scott

0 Kudos