Enterprise account used for administration deleted after Sign In Options set to IDP Only

306
5
Jump to solution
03-25-2019 02:25 PM
ToddGrover
New Contributor

After configuring Enterprise logins via SAML, if the IDP Only option is selected for the Sign In Options, per "http://enterprise.arcgis.com/en/portal/10.6/administer/windows/configure-security.htm#ESRI_SECTION1_...", and the Enterprise account used for administration was deleted, how would I be able to set the Sign In Option back to allow the local (non-enterprise) account to log in?

Is there an alternative way of setting the Sign In Options other than just on the Portal Security settings page?

Thanks

0 Kudos
1 Solution

Accepted Solutions
DanielUrbach
Occasional Contributor II

Todd,

There is a way to toggle that setting through the /sharing/rest endpoint of your portal:

1.  Navigate to your Portal's sharing endpoint:  https://yourserver.yourdomain.com/yourwebadaptor/sharing/rest and log in with the built-in administrator account ("Login" link at top right)

2. Click on the Home link (top left) and then navigate to Portals > Self, then at the bottom of this page click Update under Supported Operations

3. You should see an option called "Can SignIn Using ArcGIS", set that to True, then at the bottom of the page click "Update Organization"

Edit:  If you have disabled browsing to the /sharing/rest endpoint of your Portal you will need to reenable it to get through the above steps.  This can be done by signing in to the /portaladmin endpoint and navigating to Security > Config > Update and set "disableServicesDirectory" to true. 

This will add back the "ArcGIS" button on the login screen for the Portal Home endpoint.

I hope this helps!

-Danny

View solution in original post

0 Kudos
5 Replies
DanielUrbach
Occasional Contributor II

Todd,

A new administrator account can be created using a command line tool provided in the Portal installation path.

Please see the following documentation on how to do this:

http://enterprise.arcgis.com/en/portal/10.6/administer/windows/recovering-the-portal-when-no-adminis...

You can then sign in with this account and change any settings if you need to.  I always recommend keeping this built-in account around in case you run into issues with signing in with SAML-based accounts.

-Danny

0 Kudos
ToddGrover
New Contributor

Thank you Danny.  I do have a local (built-in) administrator account, like you I will keep, but how could I log in using it when the only way to log in to the Portal site is with an Enterprise account.  The question is, is there another way, without logging into the Portal site, to change the Sign In Options to re-enable logging in with the local (built-in) administrator account?  Perhaps from the Portal Administration Directory?  I just don't see it anywhere.

0 Kudos
DanielUrbach
Occasional Contributor II

Todd,

There is a way to toggle that setting through the /sharing/rest endpoint of your portal:

1.  Navigate to your Portal's sharing endpoint:  https://yourserver.yourdomain.com/yourwebadaptor/sharing/rest and log in with the built-in administrator account ("Login" link at top right)

2. Click on the Home link (top left) and then navigate to Portals > Self, then at the bottom of this page click Update under Supported Operations

3. You should see an option called "Can SignIn Using ArcGIS", set that to True, then at the bottom of the page click "Update Organization"

Edit:  If you have disabled browsing to the /sharing/rest endpoint of your Portal you will need to reenable it to get through the above steps.  This can be done by signing in to the /portaladmin endpoint and navigating to Security > Config > Update and set "disableServicesDirectory" to true. 

This will add back the "ArcGIS" button on the login screen for the Portal Home endpoint.

I hope this helps!

-Danny

0 Kudos
ToddGrover
New Contributor

Thank you Danny.  One hint to your instructions...  If you've followed the recommended security and disabled directory services, before you can log into the "ArcGIS Portal Directory" you'll need to log into the "Portal Administrator Directory" and set false the value for "disableServicesDirectory".

Thank you very much!

-Todd

0 Kudos
DanielUrbach
Occasional Contributor II

Todd, thank you for pointing that out.  I have edited my answer to help others who run into this.

-Danny

0 Kudos