Hi, we're configuring a SAML compliant identity provider with our Portal 10.4 instance, and plan on disabling sign in in with ArcGIS Accounts so as not to confuse our users. The only reason we're doing this is to hide the extra sign in button (using your ArcGIS Account) so the user is just provided with one sign in button. Doesn't anyone know of a way to remove the that button, but create a back door way for an internal administrator account or folks that don't have an identity provider login to login to the Portal the traditional way (internal account)? The only instructions I've found is disabling entirely signing in with ArcGIS accounts.
im curious... what is your business need for the "backdoor" account? Sounds like you would like 2 identity providers... the saml one for your corporate users and the 'built in' for non-corporate users. For that model, I think you are going to need to retain the sign in button.
we have a similar setup and have 2 major challenges with trying to run saml only:
our corporate saml service requires a client certificate on a smart card for authentication, but also supports single sign on using Microsoft integrated windows authentication (ms negotiate - Kerberos).
For #1 - we have developed python requests authentication handlers that technically work with our SAML service and Kerberos... you may find this useful - GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and P... ... we use this to authenticate to the portal/AGOL site using a 'headless windows AD service account"... the tool (or windows service) runs as that account and does a single sign on to the saml service.
for #2 - we are working through providing that capability by using a 3rd party service to provide "2 factor authentication". This is the biggest reason we still have it enabled, that process is not fully flushed out.
Most of our users (99%) will login with their SAML / Enterprise account, and we don't want to confuse users by providing two login options (ArcGIS account AND Enterprise account). However, there are a couple power users, administrators and folks without Enterprise accounts that will need to login using the built in ArcGIS account. It would be great if there was a different sign in page they could go to to use that account, one that is different than the primary login page, and one that shows BOTH login options.
Did you ever find a solution for #2? The issue we are having is Collector App does not support Single Sign On with Smart Card, have you had any success? We do not have the option for Sign In via Username/Password and are using IWA with AD.