Select to view content in your preferred language

Single Sign On experience with SAML on ArcGIS Enterprise ?

12052
16
02-15-2020 12:32 AM
NicolasGIS
Frequent Contributor

Hello,

I am trying to figure out if it is possible to provide a single sign on experience in applications built with data from ArcGIS Enterprise that requires the user to authenticate on the plateforme.

Our portal is configured to use Enterprise Login via SAML with only one identity provider so users do not have any choice on the "sharing/rest/oauth2/authorize" page but to sign in to our IDP. I think it would make sense to forward them straight to the IDP but I believe it is not possible.

Many of our web applications are already secured with SAML and the map in the application built with secured data from ArcGIS Enterprise is just a small part of it. So once the user authenticate on the web application, the map does not show up because they have to authenticate once again to ArcGIS Enterprise. Users are a bit confused (I thought I was already signed in ?!) as there are used to the SSO experience.

I found out how to get rid of the authorization form "Request for Permission" by adding the web application to the "App Launcher" settings (too bad there is not a dedicated setting for that because ideally I would not want the app to be in the app launcher of ArcGIS Enterprise but just to be configured as "will not prompt members with the 'Request for Permissions' dialog" but that is just a small detail), but I cannot find a way to force the authentification to the IDP.

Any idea ? Did I miss anything ? 

Thanks for your feedback !

16 Replies
NicolasGIS
Frequent Contributor

Just upgraded to 10.8 and ... good news this feature has been implemented !

By this feature, I mean, quoting from my original question:

"Our portal is configured to use Enterprise Login via SAML with only one identity provider so users do not have any choice on the "sharing/rest/oauth2/authorize" page but to sign in to our IDP. I think it would make sense to forward them straight to the IDP but I believe it is not possible."

 

=> if you have only one identity provider, you are automatically redirected to this IDP. No more additionnal popup. That is to say if you're application is secured by this IDP, you can have an SSO experience !

I did not find anything related to that feature in 10.8 release note but it is very good news !

Thanks ESRI

Ranga_Tolapi
Frequent Contributor

We’re using ArcGIS 10.8.1, problem still persist.

Even though only Enterprise login (Azure AD) is configured at ArcGIS portal, getting challenged by 2 additional dialogs, 1st one is for sign-in and 2nd one is for permission. Please refer to the enclosed screenshots.

To enable smooth Single Sign-On for our application, these both dialogs were impacting the user experience. How to suppress both the dialogs?

 

 

0 Kudos
NicolasGIS
Frequent Contributor

@Ranga_Tolapi , following your message I ran additional tests and the outcome is quite surprising:

- Install ArcGIS Enteprise 10.8, configure Enterprise login only => no sign-in dialog

- Install ArcGIS Enteprise 10.8.1, configure Enterprise login only => sign-in dialog is displayed (your case)

-Install ArcGIS Enteprise 10.8, configure Enterprise login only and upgrade to 10.8.1 => no sign-in dialog (my case)

 

So it seems like it worked out by chance at 10.8 but is no longer reproductible... As I said, I had not found anything in the release notes about this so it's not very surprising... But it's too bad !

HeatherM_JDI
Occasional Contributor

Hi NicolasGIS! Is this still working for you? We are suffering the same pain... 

0 Kudos
NicolasGIS
Frequent Contributor

Hi,

this issue is solved at 10.9 (for SAML provider only and not OIDC unfortunately).

Otherwise in 10.8.1 it does not work except if you upgrade from 10.8 as explained on my post !

NicolasGIS
Frequent Contributor

For the permission dialog, I think you have to add it to app launcher as described on my post:

"I found out how to get rid of the authorization form "Request for Permission" by adding the web application to the "App Launcher" settings (too bad there is not a dedicated setting for that because ideally I would not want the app to be in the app launcher of ArcGIS Enterprise but just to be configured as "will not prompt members with the 'Request for Permissions' dialog" but that is just a small detail)"

Regarding the sign-in dialog, I don't understand. I stopped having this problem at 10.8.1. 

Will do some tests again

0 Kudos
Ranga_Tolapi
Frequent Contributor

Noted with thanks @NicolasGIS, I will try adding web application to the "App Launcher".

0 Kudos