Adding enterprise login for AGOL

01-08-2019 09:27 AM
New Contributor

we too are changing our AGO member seats to active directory authentication. My question is, can ADFS/SAML be activated on JUST ONE active directory group? Does anyone out there in GIS world have a setup like this? I'm trying to gauge if this is common practice or if we are heading into uncharted waters.

your feedback is appreciated, thanks,

Cathy Almberg

GIS Specialist, City of Palm Coast FLorida


0 Kudos
2 Replies
Occasional Contributor II


If I understand what you are asking, you want to know if you can limit the users who can sign in using SAML to your ArcGIS Online organization based on their membership in a particular AD group?

I would say the easiest way to accomplish this would be on the ADFS side of things using an Access Control Policy.  See the following Microsoft doc on this:

Create a Rule to Permit or Deny Users Based on an Incoming Claim | Microsoft Docs 


0 Kudos
New Contributor

thanks for your feedback Danny. We did get it done, it works great. AGO/ADFS via

in AD

-claims aware trust

-access control , permit specific group

-add relying party trust

-send LDAP attributes as claims

-dpwm;pad adfs federation metadata.xml

in AGO

-set enterprise login

-set identity provider via a  metadata.xml file from-encrypt assertion, update profiles on sign in

then start inviting AGO members.

0 Kudos