Enterprise 10.8.1 Azure Active directory (SAML) Group Store Configuration

359
4
Jump to solution
12-10-2021 01:11 PM
DiegoLlamasOlivares
New Contributor III

Hello,

We deployed Enterprise 10.8.1 and it has Azure AD SSO. I used this URL to configure this and it is working https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arcgisenterprise-tutorial#configur...

 

Now We have some groups created in Azure AD and we want to configure them with Portal so, when we create a group for certain users have certain privileges, we just add the azure group to it and we do not have to add users one by one. (we have thousands.) I was wondering if there is some way to manage this?

LumaGroups.PNG

Can I configure group store configuration for this purpose? 

Thanks,

 

DLL

0 Kudos
2 Solutions

Accepted Solutions
by Anonymous User
Not applicable

When you create a group in your enterprise portal and want to use the membership from Azure to manage access configure as follows.  Under "Who can join this Group?" select "Members of an Enterprise Group"

and under "Enterprise group name" do not put the name you will want to put the groups Azure Object ID.

for example  "e8ad1a30-1d7f-49rf-bd7a-173945c97e70".

View solution in original post

ChristopherPawlyszyn
Esri Contributor

Good point, especially when using Azure-only groups as opposed to groups synchronized from an on-premise Active Directory.

Configure group claims for applications with Azure Active Directory | Microsoft Docs
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

View solution in original post

4 Replies
ChristopherPawlyszyn
Esri Contributor

With a SAML-based identity store, you'll want to include group membership as part of the SAML assertion for each user. There is a setting in the Portal settings for enabling enterprise group membership as part of the IDP configuration (under advanced settings), which will then allow you to specify the string that matches the value(s) sent in the user's SAML response from the IDP.

The group store configuration you've displayed is specific to Windows AD/LDAP group membership, so wouldn't apply in this circumstance.

See step 7 here:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-azure-active-directory.h...

0 Kudos
by Anonymous User
Not applicable

When you create a group in your enterprise portal and want to use the membership from Azure to manage access configure as follows.  Under "Who can join this Group?" select "Members of an Enterprise Group"

and under "Enterprise group name" do not put the name you will want to put the groups Azure Object ID.

for example  "e8ad1a30-1d7f-49rf-bd7a-173945c97e70".

ChristopherPawlyszyn
Esri Contributor

Good point, especially when using Azure-only groups as opposed to groups synchronized from an on-premise Active Directory.

Configure group claims for applications with Azure Active Directory | Microsoft Docs
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

DiegoLlamasOlivares
New Contributor III

Thanks, this info was really helpful. My enterprise works fine now, i was able to access and automatically i was assign to groups i created in azure and Portal using Azure object ID. 

0 Kudos