Help with simplifying AGOL sign-in

726
2
Jump to solution
10-20-2016 01:38 PM
ZorbaConlen
Occasional Contributor

Hi. I'd like to simplify the sign-in experience for end users. We have integrated with ADFS, so users can sign in using their regular work domain accounts, but there are some issues and its often confusing for new users or infrequent users. There is some variability depending if they are on a browser vs signing in to Collector, etc... but the following screenshots show what a new user might see.

1. For our apps, they need to use their enterprise account, so we need to train them to ignore the prominent sign in interface and instead, click the button below.

2. The user needs to know the domain part of our url....

3. The user needs to know that they should use their Bellevue account

4. Finally, they get to the point of actually signing in. 

5. To complicate matters, the map or feature service may be secured (we use LDAP or windows security). If so, the user will be prompted to authenticate against the service, which looks something like below. The password is the same as what they input for AGOL signin, but the username in this case is just the username, rather than the full email. 

Now, that's a lot to ask of a casual user. They don't really understand why they need to sign in twice, and why the username is different for the different sign-in dialogs. So, looking for ways to simplify this. One option is to configure the organization sign in options to only show the enterprise login. 

This would be a good improvement, but there is one issue. Several times, we have had ADFS down temporarily, and when that happens, we can't use our enterprise accounts to sign into AGOL and administer the organization. Also, our ADFS certification expires once a year, and if we fail to update our organization before it expires, we are again unable to use our org account. So, as a backup, we have one AGOL account with admin privileges, that we can use when ADFS is not working. Due to this issue, we are hesitant to change the sign in options, because we would have no way to access and administer our account in situation mentioned above. 

To summarize

1) Sign in experience for users is burdensome. ESRI should look into ways to simplify this. Perhaps allowing AGOL authentication to pass through to map service authentication. Also, allow administrators to customize the sign in interface.

2) If we change the sign in options so that users can only use their Bellevue accounts, how could we handle cases where those accounts are not working due to issues with ADFS? Is there another backdoor way to get into our accounts?

3) Are others dealing with this issue? If so, what strategies have you adopted?

Thanks

1 Solution

Accepted Solutions
DanielUrbach
Occasional Contributor II

Hello Zorba,

According to the documentation (Configure security settings—ArcGIS Online Help | ArcGIS ), 

"If you disable the ArcGIS Online sign in option, members with ArcGIS Online accounts can still sign in to the organization through https://www.arcgis.com/home/signin.html."
For your apps such as Collector, the user can create a connection the organizational URL rather than www.arcgis.com, at which point they will not need to enter the organizational shortname each time they log in through that app.

I hope this helps!

-Danny

View solution in original post

2 Replies
JohanEkenstedt1
Occasional Contributor II

We have exactly the same problem as you - this is the most common support issue we got. When we changed to ADFS we thought it would be easier for the user to remember the login but it is at least as cumbersome as before. 

0 Kudos
DanielUrbach
Occasional Contributor II

Hello Zorba,

According to the documentation (Configure security settings—ArcGIS Online Help | ArcGIS ), 

"If you disable the ArcGIS Online sign in option, members with ArcGIS Online accounts can still sign in to the organization through https://www.arcgis.com/home/signin.html."
For your apps such as Collector, the user can create a connection the organizational URL rather than www.arcgis.com, at which point they will not need to enter the organizational shortname each time they log in through that app.

I hope this helps!

-Danny

View solution in original post