Community

Azure Active Directory integration with ArcGIS Online

4220
4
Jump to solution
08-17-2020 01:43 PM
AhmadSALEH1
by
Occasional Contributor III
‎08-17-2020 01:43 PM

Hi All,

I am trying to set the identity provider in ArcGIS Online to use Azure Active Directory to configure ArcGIS Online Single Sign-On. 

I found this tutorial that walks-through the process: 

Tutorial: Azure Active Directory integration with ArcGIS Online | Microsoft Docs 

while the documentation perfectly outlines the steps, it is still unclear to me How ArcGIS Roles "Groups" and User levels works.

 Is ArcGIS users groups will be managed by the AD groups “the groups need to exist in the Active Directory” in order to use them and place users in that group.  Or we still can utilize the native and custom groups in ArcGIS online?

The reason I am asking, is because  I have a lot of  custom groups  that I keep in ArcGIS Online environment but I don't want them to be created in AD :

Admin, Editor, Viewer, Editor Limited, Site A Data Download Only, Site A Data Viewer Only.

1 Solution

Accepted Solutions
ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎08-17-2020 03:07 PM

Hello Ahmad SALEH‌,

When configuring a SAML identity store in your ArcGIS Online organization, you have the option to control group membership based on the groups that are listed in users' SAML assertions when authenticating with the identity provider, but that does not mean that you cannot use built-in groups as well. The plus side of managing the group membership in Azure AD is you only have to update one location to modify access to both AD-based resources as well as ArcGIS Online resources within that group. If you choose to implement enterprise groups using your identity provider, you'll need to make sure the group assertion claim is reaching ArcGIS Online from the identity provider since that is how users join the groups automatically.

Create groups—Portal for ArcGIS | Documentation for ArcGIS Enterprise 

Let me know if you have any additional questions!


-- Chris Pawlyszyn

View solution in original post

4 Replies
ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎08-17-2020 03:07 PM

Hello Ahmad SALEH‌,

When configuring a SAML identity store in your ArcGIS Online organization, you have the option to control group membership based on the groups that are listed in users' SAML assertions when authenticating with the identity provider, but that does not mean that you cannot use built-in groups as well. The plus side of managing the group membership in Azure AD is you only have to update one location to modify access to both AD-based resources as well as ArcGIS Online resources within that group. If you choose to implement enterprise groups using your identity provider, you'll need to make sure the group assertion claim is reaching ArcGIS Online from the identity provider since that is how users join the groups automatically.

Create groups—Portal for ArcGIS | Documentation for ArcGIS Enterprise 

Let me know if you have any additional questions!


-- Chris Pawlyszyn
AhmadSALEH1
by
Occasional Contributor III
‎08-18-2020 06:32 AM

Awesome, Thanks Chris.

so to summarize, for the user groups, I can   use either AD groups or ArcGIS Online built in groups.

Does that apply to users Roles and user types too? 

also, one more question, what happens to the current/existing users  I assume that they will still be able to use the ArcGIS Online Login, right ? is there a way to switch them all to SAML login or this needs to be done manually for every user. 

Thanks a lot,

Ahmad

ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎08-18-2020 06:56 AM

User types and roles exist outside of the user's identity store, so the new user defaults would apply upon the first sign-in of an enterprise account when automatically added.

There is an option when configuring the enterprise logins to allow both authentication methods (SAML and ArcGIS) or allow only enterprise logins. Typically when a customer is wanting to implement enterprise logins in an established organization the recommendation is to allow some users to login with their new enterprise account, set the user type, role, and group membership for that new user to match their existing built-in account, then transfer all owned items from the built-in account to the new enterprise login account. If you find yourself short on additional user licenses, you can do this in batches until everyone is migrated to the new enterprise logins. Once all users are migrated to the enterprise logins, you could disable the built-in authentication option if you desired to.


-- Chris Pawlyszyn
Mannus_Etten
by
New Contributor III
‎02-23-2022 04:21 AM

interesting question.

 

I configured it as well and it is not working: AADSTS500113  No reply address is registered for the application.

I used the enterprise application tempate ArcGIS Online...

CEO the Right Direction BV/Portal Genius