ArcGIS Online “Add members using their enterprise ID” - what value to use for “Enterprise ID”?

743
8
12-01-2019 04:34 PM
TI
by
Occasional Contributor

We have ArcGIS Online configured for "enterprise" logins to authenticate against our MS Active Directory. I can add users from AD by sending them invitations in ArcGIS Online. They must respond to these emailed invitations for their account to be created in ArcGIS Online.

I would like to add AD users using the option, "Add members using their enterprise ID without sending invitations". This gets their account set up immediately, and then I can add them to groups, etc, without waiting for them to respond to an invitation.

However, to use this option, I have to include the user's "Enterprise ID".

What is this Enterprise ID, and how do I find out what a particular user's Enterprise ID is? Is it something I have to get from Active Directory? If so, how do I find it for various users?

(I have tried various combinations of username, email address, and organisation name and underscores, but with no luck.)

UPDATE

As per comments, I have now tried populating the "Enterprise ID" field using the format, DOMAIN\user.name (and DOMAIN/user.name), but it will not accept anything with either a \ or a / in it (no error, but the "Next" button does nothing). As soon as I remove the (back)slash, the "Next" button works as expected (but the account does not work because I don't know what I'm supposed to put in the "Enterprise ID" field.

I note that the examples in ESRI's documentation do not use this format. The examples there are "jonc1111" and "sati3554". See: https://doc.arcgis.com/en/arcgis-online/administer/invite-users.htm#ESRI_SECTION1_D4222EB63EF14C96BF...

I feel like there's something very simple/obvious that I'm missing, like I'm looking at the problem through the wrong lens or something. I just can't figure out what I'm sure is supposed to be straightforward.

0 Kudos
8 Replies
Peter_Klingman
Esri Regular Contributor

Hi ~ 

This value will depend on the Active Directory. You may be able to work with IT to get a printout of these values. A way to figure out how it is formatted might be to temporarily change the setting to automatically join the organization, and browse to the organization URL. 

This will create an Enterprise user for you with the correctly formatted name. Keep in mind it will append the organization short name to the end of the username.

I just tested this using our in-house ADFS Server and the format was username@domain(.com) - thus my username ended up being username@domain.com_shortName

Hope that helps,

-Peter

TI
by
Occasional Contributor

So I've got this working now.  Note that the username (visible in the user's profile) is completely different to the Enterprise ID (which is not visible in the user profile at all)!

In our case the Enterprise ID turns out to be of the format:

email.name

Our usernames that it automatically creates for enterprise users are of the format:

Email.Name@domain.com_OrgName

I had tried this previously but it failed then (on multiple occasions).  It's unclear whether I'd done something else wrong or whether it was actually an issue with the Enterprise IDs that I'd entered.

I had logged a job with ESRI about how to get the Enterprise ID from our AD system, but they were unable to provide any clear directions apart from "ask your IT people".  :(

It would be handy if ESRI would document how to determine the Enterprise ID from LDAP and AD systems.  There must be some simple instructions that could be applied to figure this out, either on the command line or via GUI.

Peter_Klingman
Esri Regular Contributor

Glad you got it working - I agree that a guide for how to determine the Enterprise ID could be handy for ArcGIS Online administrators that don't have direct access to the IDP, in your case the ADFS server. I think the reason we don't have specific documentation for ADFS is that we support seven different SAML providers with ArcGIS Online and obtaining the Enterprise ID would likely be a different workflow for each one. That said providing some common formats or links to third party documentation that can assist here seems like a good idea and I'll look into throwing a resource up on GeoNet. 

Cheers,

-Peter

0 Kudos
TI
by
Occasional Contributor

Thanks Peter!

0 Kudos
Peter_Klingman
Esri Regular Contributor

Hi Tasmanian Irrigation‌ - 

I logged an enhancement request to add a tip on how to obtain the Enterprise ID when adding enterprise members without sending invites.

The record is ENH-000127488 if you want to subscribe through My Esri - it may be a little while before the it's is exposed there. 

Since you can configure ArcGIS Online with numerous IDPs, we are not able to add a specific workflow to find this value. However from my understanding of the documentation (I haven't configured each IDP with ArcGIS Online) the crucial thing is that the Enterprise ID is the attribute passed from the Identity Provider as the NAME ID outgoing claim type. Therefore the tip requested in the enhancement is: "The Enterprise ID is the attribute passed from the Identity Provider as the NAME ID outgoing claim type. Check with your Identity Provider admin for more details."

I also was able to test inviting a hyphenated email (using ADFS as the IDP as well) and this worked as expected. So I'm still a little confused about what was occurring when the initial email could not be invited. Glad you were able to get the member in without an invitation in the end. 

Thanks,

-Peter 

0 Kudos
TI
by
Occasional Contributor

Thank you.

If I ever get another staff member with a hyphenated email address and I'm not in a hurry to get them into AGOL, I might try it the same way again, and log a support request if the same problem occurs.

TI
by
Occasional Contributor

Since posting this question, I have become more and more aggravated by how this works (or sometimes does not work) between ArcGIS Online and Active Directory.  I have found that in some cases, entering the full email address works for the Enterprise ID, but not in others.  And in some cases, entering only the name part (before the "@") works, but not for others.

So it's a matter of trial-and-error an a case-by-case basis.  Which makes it impossible to create a file of new users to invite.

It's unclear if this is due to ArcGIS Online inconsistencies, or due to Active Directory inconsistencies.  But without a clearly defined way to interrogate active directory to get what AGOL calls the "Enterprise ID", then I have no way of knowing which to use for any particular user.

At least now I know that if one form doesn't work, just switch to the other form and try again, and it should work.

0 Kudos
Peter_Klingman
Esri Regular Contributor

Thanks for the reply on this - let me know if I can assist with getting your account attached to the above enhancement. This way you can escalate it and provide the use case. I would also recommend opening, or re-opening an old, support case to see if an analyst can run SAML tracer/decoder or take other troubleshooting steps to narrow down the issue. It definitely shouldn't work inconsistently as you describe above. 

Thanks,

-Peter

0 Kudos