Change Authentication from IWA to other methods

2516
11
Jump to solution
03-08-2022 11:19 AM
RezaTehranifar2
New Contributor III

We have Enterprise 10.9 (Server, Portal, Data Store) on a single machine with IWA authentication. Although the SSO authentication works great, I have come across some bugs with general enterprise usage that are specific to IWA (according to ESRI tech support).

How big of an effort is to change our authentication method? We still want the same SSO experience using our org's AD. 
Would changing impact the user who created an existing content on our portal? e.g if john doe with IWA lose access to their content if we were to change?

1 Solution

Accepted Solutions
ReeseFacendini
Esri Regular Contributor

SAML is the only other SSO option. The 3 authentication options are built-in accounts, IWA, or SAML. Connecting Enterprise to work with SAML logins is more simple, and can be done through the main Portal UI, instead of the Portal Admin API.

There is no way to map a login to an existing user account, you would need to create all new accounts for your users. I have seen other customers use a python script, and some do it manually, that goes through this process; create a new user, transfer the content from the old user account to the new one, then delete that old user. Repeating for each user within the Enterprise organization.

View solution in original post

11 Replies
ReeseFacendini
Esri Regular Contributor

What authentication method are you looking to switch to, instead of IWA?

0 Kudos
RezaTehranifar2
New Contributor III

I don't have a particular one I am targeting, but seems like SAML best fits my criteria but not positive. Azure AD seems promising but does require our IT to set it up and maintain it.

My criteria:

1. Maintain SSO

2. Be able to add users through AD

3. Not lose connection between existing users and their contents. But I guess a python script can help remap.

4. Not have same bugs/issues as IWA. I find when I call ESRI support, they generally identify IWA being the cause for the issue. e.g I am working on IWA related issues with Survey 123 and rendering enterprise hosted data in python notebooks.

Overall IWA works fine for auth. I just like to see if there are other auth options that provide the same benefits without the issues. I am not finding any pro/cons articles.

0 Kudos
ReeseFacendini
Esri Regular Contributor

SAML is the only other SSO option. The 3 authentication options are built-in accounts, IWA, or SAML. Connecting Enterprise to work with SAML logins is more simple, and can be done through the main Portal UI, instead of the Portal Admin API.

There is no way to map a login to an existing user account, you would need to create all new accounts for your users. I have seen other customers use a python script, and some do it manually, that goes through this process; create a new user, transfer the content from the old user account to the new one, then delete that old user. Repeating for each user within the Enterprise organization.

DeanMoiler
Occasional Contributor

This IWA to SAML migration is something we've seen quite a bit of, and there is a way to map an existing IWA created user to enable a SAML login without recreating users via : 

Update Enterprise User—ArcGIS REST APIs | ArcGIS Developers

 

This operation allows an administrator to update the idpUsername for an enterprise user in the portal. This is used when migrating from accounts used with web-tier authentication to SAML authentication.




DeanMoiler_1-1686638722162.png

Users are then able to login to existing accounts with a SAML IdP login. 

This is best run against all users in batch via a script if you have a large number of users.

For the most part we've opted to recreate users with new usernames as the existing usernames created via AD attributes were not appropriate for use outside of enterprise as we standardise logins between AGOL & Enterprise.

RezaTehranifar2
New Contributor III

Thanks again for your input. We only really may have a dozen users with content. Most are just viewer. So seems like going through API interface might be easier. As long as we backup.

0 Kudos
DavidHoy
Esri Contributor

Hi Dean - 
I presume this keeps the internal user identifier, so content ownership and group membership would remain unaffected.
But does the username shown in the Profile and Item ownership say remain unchanged (i.e. is the IDP username effectively an Alias - only used when authenticating?)

0 Kudos
DavidHoy
Esri Contributor

ok - I just did some testing in my sandbox
username does not change - just the property called IDPUsername

content is still owned by the original username

I confirmed by looking in the portal/sharing/rest/community/users/<username> directory where these properties are listed

0 Kudos
DeanMoiler
Occasional Contributor

Hi David,

Yes that's correct. Only IDPUsername attribute is updated which allows SAML login if web authentication is disabled. Original username remains unchanged. 

0 Kudos
RezaTehranifar2
New Contributor III

Thanks for your help. This is great.
I imagine the python script is using the python api and taking the ID of the old user and swapping it with the new one? between all the contents and group, doing it manually would be cumbersome.

0 Kudos