ArcGIS Enterprise SAML: Can the group claim be edited ?

1080
4
07-30-2020 01:04 AM
NicolasGIS
Occasional Contributor III

Hello,

Our SAML identity provider provides groups membership in a claim with a different name that the one listed in the documentation:

Create groups—Portal for ArcGIS | Documentation for ArcGIS Enterprise 

The supported (case-insensitive) names for the attribute defining a user's group membership are Group, Groups, Roles, MemberOf, member-of, http://schemas.xmlsoap.org/claims/Group, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, urn:oid:1.3.6.1.4.1.5923.1.5.1.1, and urn:oid:2.16.840.1.113719.1.1.4.1.25.

Can it be edited somewhere ? IT service is telling me that I should be able to edit it but I can't find anything is the documentation.

Thanks !

Tags (1)
0 Kudos
4 Replies
NicolasGIS
Occasional Contributor III

Any feedback on this question ? Possible, not possible, in the pipeline, good candidate for an idea, no go ?

Thanks !

0 Kudos
by Anonymous User
Not applicable

Hi @NicolasGIS,

Thanks for reaching out. While the internal attributes (the ones provided by your Active Directory) cannot be edited, Portal for ArcGIS expects to receive group membership claims in the formats you listed below. However, any attribute from your AD that contains group information can be mapped to one of the "group" claims the Portal expects. Here's an illustration from our SAML (ADFS) configuration document that illustrates this well:

2020-11-18_13-52-48.png

You'll see that entries in the left-hand column (from your Active Directory) are associated with outgoing claims that are sent to Portal for ArcGIS, on the right. In the example, "Token-Groups - Unqualified Names" is mapped to the "Group" value. However, you could easily replace "Token-Groups - Unqualified Names" with any group attribute that exists in your Active Directory.

These settings are fairly standard in any SAML-compliant Identity Provider, but I wouldn't be sure of whether yours is compatible without knowing which vendor you use. 

NicolasGIS
Occasional Contributor III

Hello @Anonymous User,

Thanks for your reply. The SAML provider is Keycloack.

The thing is that in my company, there are tens of thousands of SAML secured applications so SAML registration is an automatic process developed internally and you cannot edit the claims in this process.

From what I understood, it is more to the service provider to adapt rather than the IDP.

Thanks ! 

0 Kudos
ElliotJones
Esri Contributor

Hi @NicolasGIS,

Thanks for reaching out. While the internal attributes (the ones provided by your Active Directory) cannot be edited, Portal for ArcGIS expects to receive group membership claims in the formats you listed below. However, any attribute from your AD that contains group information can be mapped to one of the "group" claims the Portal expects. Here's an illustration from our SAML (ADFS) configuration document that illustrates this well:

 

You'll see that entries in the left-hand column (from your Active Directory) are associated with outgoing claims that are sent to Portal for ArcGIS, on the right. In the example, "Token-Groups - Unqualified Names" is mapped to the "Group" value. However, you could easily replace "Token-Groups - Unqualified Names" with any group attribute that exists in your Active Directory.

These settings are fairly standard in any SAML-compliant Identity Provider, but I wouldn't be sure of whether yours is compatible without knowing which vendor you use. 

0 Kudos