Select to view content in your preferred language

Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

969
4
05-26-2021 12:00 PM
ChipSmith09
New Contributor

Currently we're using ArcGIS online and using our domain email addresses with unique passwords to login. We're attempting to convert to Azure AD authentication. I'd like to match the Enterprise usernames to the usernames we're currently using, however I'm not sure what/where I need to do this.

I've gotten the SAML link to work in the Azure AD Enterprise Apps, however when logging into ArcGIS enterprise with my AD creds, I get an error:

"Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site. IdpUsername: 'user@mydomain.com' Username: 'user@mydomain.com_MyCompanyShortname'"

user@mydomain.com is an existing user account in ArcGIS online. I assume I need to update the User attributes & claims in my Azure AD Enterprise App to pass along this info? I'm not sure what I need to do and the help documentation isn't entirely clear. 

Help documentation in question: https://enterprise.arcgis.com/en/portal/latest/administer/windows/configuring-a-saml-compliant-ident...

Any help would be greatly appreciated!

4 Replies
JCGuarneri
Frequent Contributor

Did you ever come up with a solution? We're going through this process now and running into pretty much the same issue. Our existing Enterprise users are all in the format doej@domain (or domain\\doej), but Azure sends the username as john.doe@domain.com If we allow users to create an account without invitation, they are able to login, but it creates a brand new username. If push comes to shove, we can just get rid of all the old users and add new ones, but it would be nice if we can avoid that.

0 Kudos
KevinCutsforth
New Contributor

I am currently going through the exact same issue as the original post, and I agree there is virtually no supporting documentation for how to resolve this issue. @ChipSmith09 were you able to get this working? I'd love to know how to get it resolved.

Scott_Tansley
MVP Regular Contributor

You can't link them.  You need to recreate each user, as a SAML2 user, transfer any permissions/content and then deprecate the old user.  I believe there are example scripts online and also potentially third party admin tools that can help with the migration.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
JCGuarneri
Frequent Contributor

I agree with @Scott_Tansley . We ended up doing it in batches, so I wrote a script that took the old username, email address, first name, and last name as a csv input. It created each new user with the email address, then transferred items, groups, permissions, etc. to the new user, and finally deleted the old user. It wasn't too hard to set up, and a good opportunity to get to know the admin module of the Python API.