We have Enterprise 10.9 (Server, Portal, Data Store) on a single machine with IWA authentication. Although the SSO authentication works great, I have come across some bugs with general enterprise usage that are specific to IWA (according to ESRI tech support).
How big of an effort is to change our authentication method? We still want the same SSO experience using our org's AD.
Would changing impact the user who created an existing content on our portal? e.g if john doe with IWA lose access to their content if we were to change?
Solved! Go to Solution.
SAML is the only other SSO option. The 3 authentication options are built-in accounts, IWA, or SAML. Connecting Enterprise to work with SAML logins is more simple, and can be done through the main Portal UI, instead of the Portal Admin API.
There is no way to map a login to an existing user account, you would need to create all new accounts for your users. I have seen other customers use a python script, and some do it manually, that goes through this process; create a new user, transfer the content from the old user account to the new one, then delete that old user. Repeating for each user within the Enterprise organization.
What authentication method are you looking to switch to, instead of IWA?
I don't have a particular one I am targeting, but seems like SAML best fits my criteria but not positive. Azure AD seems promising but does require our IT to set it up and maintain it.
My criteria:
1. Maintain SSO
2. Be able to add users through AD
3. Not lose connection between existing users and their contents. But I guess a python script can help remap.
4. Not have same bugs/issues as IWA. I find when I call ESRI support, they generally identify IWA being the cause for the issue. e.g I am working on IWA related issues with Survey 123 and rendering enterprise hosted data in python notebooks.
Overall IWA works fine for auth. I just like to see if there are other auth options that provide the same benefits without the issues. I am not finding any pro/cons articles.
SAML is the only other SSO option. The 3 authentication options are built-in accounts, IWA, or SAML. Connecting Enterprise to work with SAML logins is more simple, and can be done through the main Portal UI, instead of the Portal Admin API.
There is no way to map a login to an existing user account, you would need to create all new accounts for your users. I have seen other customers use a python script, and some do it manually, that goes through this process; create a new user, transfer the content from the old user account to the new one, then delete that old user. Repeating for each user within the Enterprise organization.
Thanks for your help. This is great.
I imagine the python script is using the python api and taking the ID of the old user and swapping it with the new one? between all the contents and group, doing it manually would be cumbersome.
Correct, you'd use the Python API, and transfer content, group ownership / membership to the new user ID
Thanks for your help!