Implementing ArcGIS Online Enterprise Logins with Existing Users

ChrisTaylor · ‎02-09-2015

Hello,

We are looking into setting up enterprise logins using ADFS for our organization, but have many existing users. In the early days of our ArcGIS Online organization we thought we were being helpful by trying to match new users' accounts to their AD usernames. I remember hearing somewhere along the way that if we ever went to enterprise logins we would have to copy any affected user's content to a new & different user, delete their old AD-matched account, then copy the content back to their true ADFS account once EL has been implemented.

My question is how exactly does this all play out? There's no real development environment to AGOL so I'd like to know what I'm facing before I try it. Do all of the current AD-matched accounts have to be eliminated before we configure EL and 'flip the switch' so to speak? If ELs are enabled with AD-matched accounts still out there, will it cause conflicts or issues?

Thanks for your help.

Chris Taylor

GIS Web Developer

City of Kingston, ON

VenusScott · ‎06-17-2015

Chris,

This is super easy to convert to. We had several users and each had several maps/apps with them. Once we implemented the enterprise logins it was very simple to import a list (or in a batch mode):

Once the users accepted it's super easy to "transfer ownership" of their maps/apps by selecting them all and use the "Change Owner" option:

You also have the option to create the same folder structure they have:

Once I moved everyone and everything over I deactivated (not delete) the old access.

LOVE not having to maintain users short of inviting them!

Venus Scott

View solution in original post

BrianO_keefe · ‎06-17-2015

It would be of interest to me as well to get an answer to this question. Any information would be helpful.

VenusScott · ‎06-17-2015

Chris,

This is super easy to convert to. We had several users and each had several maps/apps with them. Once we implemented the enterprise logins it was very simple to import a list (or in a batch mode):

Once the users accepted it's super easy to "transfer ownership" of their maps/apps by selecting them all and use the "Change Owner" option:

You also have the option to create the same folder structure they have:

Once I moved everyone and everything over I deactivated (not delete) the old access.

LOVE not having to maintain users short of inviting them!

Venus Scott

BrianO_keefe · ‎06-17-2015

So how do you update this list?

VenusScott · ‎06-17-2015

Currently I get a monthly list of users who have left and compare it to our AGOL list of users. I will just deactivate the users at that point.

RebeccaStrauch__GISP · ‎06-17-2015

There are some tools available, both free and paid, to help with this process. you can read more about them here

Tools · Esri/ago-admin-wiki Wiki · GitHub

and a blog post about some of these ArcGIS Online admin tools available on GitHub | ArcGIS Blog

I may eventually face the same thing, that is, moving users content to a AD account name, but so far I've not used the same AD account for AGOL account, (except for one of my, admin accounts) so I haven't gone thru the process. I have used some of the esri tools for moving constant however.

Edit: I like Venus' answer Above.

BrianO_keefe · ‎06-17-2015

I'm curious, with my organization we have roughly 5,000 users. Obviously not everyone would ever even KNOW about ArcGIS.com, much less try to log in... but...

I thought that with the new 'credits' and AGOL accounts system starting to become the norm that the number of AGOL accounts was restricted to the number of specific licenses that organization utilizes. So if we were to incorporate this 'Enterprise Login' concept...

how would that affect our number of licenses vs AGOL accounts requirements?
Does this bypass those restrictions?
Does this require a different level of licensure?
Does each person that sign on use a license and if too many people are signed on the next person cannot sign on now until someone else signs off, like an implementation of an internal license server?
OR Do we grant a specific set of users an AGOL account and everyone else, even tho we've setup this Enterprise Login, won't ACTUALLY be able to sign in to AGOL until we purchase more licenses?

Really curious because this sounds like it would solve a lot of problems.

RebeccaStrauch__GISP · ‎06-17-2015

Brian,

I'm in a similar situation....although only 300 users fir 50 AGOL/desktop licenses, but about 5000 users in the department...most (including managers) that have no clue about AGOL, unless the happen to link from our dept page or an email. I don't THINK federating active directory mean that all 5000 would need or get accounts (unless you purchase more). What I see this doing is not maintaining another, and possibly weaker, set of usernames and passwords. But, unless they announce a new way , it does not bypass the restrictions.

BrianO_keefe · ‎06-17-2015

So is this process just allowing AGOL to verify username / password against an AD system then?

Or is this allowing an AD system to generate AGOL users?

I'm researching this as an option for AGOL account management.

VenusScott · ‎06-17-2015

Correct, it just verifies username / password against an AD system.