We have an ArcGIS Enterprise 11.0 windows installation, where the authentication is integrated with Windows Active Directory, either at the user level or at the group level, as shown below:
User Store/Group Store:
If in Windows Active Directory (AD) we add a user that already exists in Portal for ArcGIS to an AD group also mapped in Portal for ArcGIS, when the user authenticated in to the Portal, and he had logged into the Portal less than an hour ago, the refresh membership is not executed, and in the Portal logs in debug mode it appears: "Refresh user membership: No refresh. Interval time has not elapsed."
But if the user has already logged into the Portal for more than an hour, when the user authenticates in Portal the refresh membership is performed, and in the Portal logs in debug mode it appears: "Refresh user membership: In progress for user '.............'. Thread id: 5900287 ".
According to the documentation, whenever a user logs in, the refresh membership should be automatically performed, even if they last logged in less than an hour ago, does anyone know why this isn't happening?
Thanks,
Antonio Sergio
Portal for ArcGIS can keep a list of logins and accounts removed and "caches" them for 60 minutes.
Within the Portal Common Problems document it mentions that "the identity store refreshes when the new member signs in to the portal or the next time your portal identity store automatically refreshes, whichever occurs first". If the user logs out and logs back in, does the membership refresh?
I hope this helps.
The membership refresh in login occurs only if the user logs has been an hour since the last login with refresh membership, i made several tests (Login and Logout) during the day with the AD Administrator and that is the behavior.
Thanks,
Antonio Sergio
Great thread. We are seeing some strange group membership issues, did this get resolved? Users who have long been a part of a SAML/ad group lost access to that content but re still members of the AD group, just not the Portal Group. It's like here today(group membership) gone tomorrow and for one user I had to delete their account and start over
Hello,
I had a situation that users appear and disappear from portal group, when there were two definitions at the same time.
1. login using SAML
2. groups using AD groups (portaladmin/security/config).
The SAML and AD are synchronized, but the two definitions didn't work.
After deleting the definition of AD groups - the problem was fixed.
Ofra