Azure Active Directory users email change how affect

1332
3
12-02-2020 11:08 AM
DiegoLlamasOlivares
Occasional Contributor

Hello,

 

We have ArcGIS enterprise 10.7.1 on premise and we configure a Single Sign On (SAML) using Azure Active Directory. Now AD user and email will change from dllamas@gmtgis.com to dllamas@gmtcce.com. And I need to know how this change that is coming will affect my implementation.

1. When SAML trust was created in Azure, an Enterprise application was created in azure. and we add users access privileges to this app. My question is after this AD changes are made,  do I need to delete and recreate this APP or this app register automatically the changes?

DiegoLlamasOlivares_0-1606935222129.png

2. If I do not recreate the app and see the changes smoothly, do I need to recreate the trust again between AZure AD and Portal?

3. If I do need to recreate this trust or if imagine that I do need to create this trust, What would happen to my users in Portal, would I have two of them, ex. dllamas@gmtgis.com and after the new login Enterprise add dllamas@gmtcce.com ? and if this happen,  what would happen with the ownership of the items, i will need to change the ownership of the items? of can I create a mapping for this items.

I hope I explain myself correctly.

Thanks for all your help,

Diego Llamas

 

0 Kudos
3 Replies
NiekGoorman1
Occasional Contributor

If the only thing changing is your users' email addresses, then my gut feeling is that you would not need to change anything in the Azure enterprise app. You may need to do something to make sure your users can still access your Portal. With SAML logins, Azure AD passes the UserPrincipalName on to Portal, so you will need to find out whether this is actually changing for your users. It is possible that your IT department will simply set up an email alias dllamas@gmtcce.com while the actual underlying email address (and UserPrincipalName) in Azure AD still remains dllamas@gmtgis.com. Basically, talk to your IT to get more information on this change.

If the actual email address is changing, then I would expect that IT will make sure that the same users will still be in your Azure AD enterprise application. In that case what you would need to do is change your Portal users to use the new email addresses - this may require some scripting if you have many of them.

ChristopherPawlyszyn
Esri Contributor

I would tack onto what @NiekGoorman1 suggested with the following Admin API operation that would allow you to update the IDP username (value used to match the incoming SAML assertion Name ID attribute to the user within Portal). If the Name ID attribute is going to change, this would be a workaround that would prevent you from duplicating accounts and migrating content to the new account, but the username within Portal would not be updated.

Overall I think it would depend on the number of users to determine which direction you'll take when the cutover happens.

Update Enterprise User—ArcGIS REST API | ArcGIS for Developers
https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user.htm


-- Chris Pawlyszyn
0 Kudos
HeathAnderson
Occasional Contributor II

Hi Chris,

I am not sure if the userprincipalname will change or not but what if we change the Require claim name in azure from user.userprincipalname to user.objectid?  Do you know or can you speculate on what would happen to our SSO connection?  If we were able to make this change the user.objectid stays the same regardless of userprincipalname, or so I was told.  Can the ArcGIS Enterprise application from Azure handle that change.  Any insight is greatly apricated.

Cheers,

Heath

0 Kudos