we too are changing our AGO member seats to active directory authentication. My question is, can ADFS/SAML be activated on JUST ONE active directory group? Does anyone out there in GIS world have a setup like this? I'm trying to gauge if this is common practice or if we are heading into uncharted waters.
your feedback is appreciated, thanks,
GIS Specialist, City of Palm Coast FLorida
If I understand what you are asking, you want to know if you can limit the users who can sign in using SAML to your ArcGIS Online organization based on their membership in a particular AD group?
I would say the easiest way to accomplish this would be on the ADFS side of things using an Access Control Policy. See the following Microsoft doc on this:
thanks for your feedback Danny. We did get it done, it works great. AGO/ADFS via
-claims aware trust
-access control , permit specific group
-add relying party trust
-send LDAP attributes as claims
-dpwm;pad adfs federation metadata.xml
-set enterprise login
-set identity provider via a metadata.xml file from-encrypt assertion, update profiles on sign in
then start inviting AGO members.