we too are changing our AGO member seats to active directory authentication. My question is, can ADFS/SAML be activated on JUST ONE active directory group? Does anyone out there in GIS world have a setup like this? I'm trying to gauge if this is common practice or if we are heading into uncharted waters.
your feedback is appreciated, thanks,
Cathy Almberg
GIS Specialist, City of Palm Coast FLorida
386.986.3741
Cathy,
If I understand what you are asking, you want to know if you can limit the users who can sign in using SAML to your ArcGIS Online organization based on their membership in a particular AD group?
I would say the easiest way to accomplish this would be on the ADFS side of things using an Access Control Policy. See the following Microsoft doc on this:
Create a Rule to Permit or Deny Users Based on an Incoming Claim | Microsoft Docs
-Danny
thanks for your feedback Danny. We did get it done, it works great. AGO/ADFS via
in AD
-claims aware trust
-access control , permit specific group
-add relying party trust
-send LDAP attributes as claims
-dpwm;pad adfs federation metadata.xml
in AGO
-set enterprise login
-set identity provider via a metadata.xml file from-encrypt assertion, update profiles on sign in
then start inviting AGO members.