Single Sign On experience with SAML on ArcGIS Enterprise ?

6005
16
02-15-2020 12:32 AM
NicolasGIS
Regular Contributor

Hello,

I am trying to figure out if it is possible to provide a single sign on experience in applications built with data from ArcGIS Enterprise that requires the user to authenticate on the plateforme.

Our portal is configured to use Enterprise Login via SAML with only one identity provider so users do not have any choice on the "sharing/rest/oauth2/authorize" page but to sign in to our IDP. I think it would make sense to forward them straight to the IDP but I believe it is not possible.

Many of our web applications are already secured with SAML and the map in the application built with secured data from ArcGIS Enterprise is just a small part of it. So once the user authenticate on the web application, the map does not show up because they have to authenticate once again to ArcGIS Enterprise. Users are a bit confused (I thought I was already signed in ?!) as there are used to the SSO experience.

I found out how to get rid of the authorization form "Request for Permission" by adding the web application to the "App Launcher" settings (too bad there is not a dedicated setting for that because ideally I would not want the app to be in the app launcher of ArcGIS Enterprise but just to be configured as "will not prompt members with the 'Request for Permissions' dialog" but that is just a small detail), but I cannot find a way to force the authentification to the IDP.

Any idea ? Did I miss anything ? 

Thanks for your feedback !

16 Replies
NicolasGIS
Regular Contributor

No thought ?

Does not seem like a use case for an organisation using SAML and Portal for ArcGIS with secured data  ?

Thanks !

0 Kudos
KarlieFreeman
New Contributor II

I am following along because I would also like to know if anyone has found a solution to this.

0 Kudos
NicolasGIS
Regular Contributor

One dirty workaround I found is editing "signing_default.html" file located for 10.7.1 to simulate the click on the enterprise login, located on Windows:

C:\Program Files\Arcgis\Portal\framework\webapps\arcgis#sharing\WEB-INF\classes\oauthsignintemplates

By adding the following javascript code after "signIn.startup(oAuthInfo);":

var signInButton = document.getElementsByClassName("js-entlogin")[0];
if (signInButton)
{
   signInButton.click();
}

0 Kudos
NicolasGIS
Regular Contributor

A slightly better but it is still editing a file we are not supposed to:

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Sign In</title>
<script src="${contextPath}/files/scripts/detector.min.js"></script>
<link rel="stylesheet" href="${contextPath}/files/css/site.min.css">
<script src="${contextPath}/files/scripts/oauth2.js?v7.1.4"></script>
</head>
<body>
<div class="content-container"></div>
<form id="oauth" method="post" action="" class="hide">
<input id="oauth_state" value="" name="oauth_state">
<input value="true" name="authorize">
</form>
</body>
<script>
var oAuthInfo = ${oauthInfo};

document.getElementById("oauth_state").value = oAuthInfo.oauth_state;
var oauthForm = document.getElementById("oauth");
oauthForm.action= oAuthInfo.federationInfo.idpAuthorizeUrl;
oauthForm.submit();
</script>
</html>

Needless to say that it is not supported, a backup of the original file should be made, and I did not test very thoroughly: it is just a proof of concept as so far I did not find any better solution

0 Kudos
SusanZwillinger
Occasional Contributor

Nicole,

We ended up using a third party option from Rock Solid Knowledge Ltd in the UK (https://rocksolidknowledge.com).  The component is called "SAML2P for IdentityServer 4". It is not inexpensive (we paid the US dollar equivalent of 3,000 pounds), but it worked well for us.

Let me know if you need more details.

Regards,

-Susan-

0 Kudos
NicolasGIS
Regular Contributor

Many thanks for quick reply Susan Zwillinger‌ !

Definitely interested to have more information about this component and specially your deployment with the ArcGIS Enterprise component.

So if I understand correctly, you configured your Portal for ArcGIS "Enteprise login" to use the "SAML2P for IdentityServer 4" identity provider but then how does it prevent ArcGIS Enteprise from displaying a sign in page when non logged in as you mentioned on your thread:

Can single sign on be achieved using OpenID Connect with a SAML add-in for ArcGIS Enterprise/Portal? 

How did you get rid of it in order to make the authentification to the identity provider automatic and thus provide an SSO experience ?

Thanks 

0 Kudos
NicolasGIS
Regular Contributor

Hello Susan Zwillinger‌,

Any update on this question ? 

Thanks !

0 Kudos
HeatherM_JDI
New Contributor III

Hi @SusanZwillinger are you still using this?

0 Kudos
SusanZwillinger
Occasional Contributor

Hi @HeatherM_JDI, I don't think we are using the SAML2P for IdentityServer 4 add-in now.  We upgraded to 10.8 and the client is now using an SAP portal for authentication.  Users have the option to log in via SAP or through a local user account (similar to the way that it was when we were using the add-in).