Converting authentication from unique ArcGIS online users to Enterprise Azure AD users

ChipSmith09 · ‎05-26-2021

Currently we're using ArcGIS online and using our domain email addresses with unique passwords to login. We're attempting to convert to Azure AD authentication. I'd like to match the Enterprise usernames to the usernames we're currently using, however I'm not sure what/where I need to do this.

I've gotten the SAML link to work in the Azure AD Enterprise Apps, however when logging into ArcGIS enterprise with my AD creds, I get an error:

"Unable to sign in, logins are by invitation only. Please contact the administrator of this web site to access this site. IdpUsername: 'user@mydomain.com' Username: 'user@mydomain.com_MyCompanyShortname'"

user@mydomain.com is an existing user account in ArcGIS online. I assume I need to update the User attributes & claims in my Azure AD Enterprise App to pass along this info? I'm not sure what I need to do and the help documentation isn't entirely clear.

Help documentation in question: https://enterprise.arcgis.com/en/portal/latest/administer/windows/configuring-a-saml-compliant-ident...

Any help would be greatly appreciated!

JCGuarneri · ‎04-01-2022

Did you ever come up with a solution? We're going through this process now and running into pretty much the same issue. Our existing Enterprise users are all in the format doej@domain (or domain\\doej), but Azure sends the username as john.doe@domain.com If we allow users to create an account without invitation, they are able to login, but it creates a brand new username. If push comes to shove, we can just get rid of all the old users and add new ones, but it would be nice if we can avoid that.

KevinCutsforth · ‎11-18-2022

I am currently going through the exact same issue as the original post, and I agree there is virtually no supporting documentation for how to resolve this issue. @ChipSmith09 were you able to get this working? I'd love to know how to get it resolved.

Scott_Tansley · ‎11-18-2022

You can't link them. You need to recreate each user, as a SAML2 user, transfer any permissions/content and then deprecate the old user. I believe there are example scripts online and also potentially third party admin tools that can help with the migration.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

JCGuarneri · ‎11-21-2022

I agree with @Scott_Tansley . We ended up doing it in batches, so I wrote a script that took the old username, email address, first name, and last name as a csv input. It created each new user with the email address, then transferred items, groups, permissions, etc. to the new user, and finally deleted the old user. It wasn't too hard to set up, and a good opportunity to get to know the admin module of the Python API.