Community
Select to view content in your preferred language

ArcGIS Enterprise create idp user before first login

147
1
3 weeks ago
slu_se
by
New Contributor
3 weeks ago

Hello everyone

I have installed ArcGIS Enterprise 11.3 and set up an OpenID Connect connection. If a user does not yet have an account, a viewer account is automatically created when the login button is clicked.
So that we do not have to wait for the user to log in for the first time to assign the authorizations (user type, role or group membership), we would like to have the account generated automatically in advance.
There is a script on the portal server (C:\Program Files\ArcGIS\Portal\tools\accountmanagement\CreateUsers.bat) that can be used to import accounts automatically.
In order to have the necessary file in the correct structure, I first logged into ArcGIS Portal with the account and then generated a text file with “ListUsers.bat”. This file contains all information including the idp user name (e.g. “_S8NGdnmTzuT4Ln...”).

If I now import the account with the script (of course it was deleted beforehand), this works.

CreateUsers.bat --file Username.txt --idp orgSpecific --username <username> --password <password>

SUMMARY: 1 of 1 user(s) successfully created.

If I now log in again with OIDC, the previously created account is not used, but a new one is created. A number is added to the newly created account as a suffix to the user name.
When exporting with ListUsers.bat, the two lines are completely identical with the exception of the suffix in the user name.

However, if I enter the OIDC client ID when importing users, the import already fails.

CreateUsers.bat --file Username.txt --idp oidc_cef519... --username <username> --password <password>

SUMMARY: 0 of 1 user(s) successfully created.
* FAILED: User ‘user.name@domain.tld’ could not be created. Unable to signup user...

Does anyone have any tips on what needs to be considered to be able to generate an OIDC account on ArcGIS Enterprise in advance?

Thanks, Erich

0 Kudos
1 Reply
JeffSmith
by Esri Contributor
Esri Contributor
yesterday

Hi @slu_se 

The ability to add OIDC users on ArcGIS Enterprise 11.3 in advance is possible using the workflow you are following but it is difficult to get the user login information to match correctly.  Using the command-line utility, the format of the text file is as follows (from the help doc).

<login>|<email address>|<name>|<role>|<user type id>|<description>|<IdP UserName>|<first name>|<last name>

 The <login> is the ArcGIS username and just needs to be unique on your Enterprise system.  It can be anything.  The <IdP UserName> is what needs to match up with the OIDC user identifier.  This is the difficult part.  By default Enterprise uses the "sub" attribute in the <IdP UserName> field.  The problem for some OIDC providers (ex Entra ID), is this value cannot be pre-determined before a user logs in.  That makes it impossible to pre-create these users in Enterprise.  

To solve this, in Enterprise 11.3, the ability to configure the OIDC provider with an alternate IdP username  claim field was added.  For 11.3, this can only be updated through the api though.  The ability to define this in the main Portal Home app was added in 11.4.  If you are using Entra ID, an example of a claim attribute that can be used instead of "sub" would be "oid".  This matches the object id of the user and can be retrieved for each user from the Entra ID site.

0 Kudos