Community

Implementing ArcGIS Online Enterprise Logins with Existing Users

6779
17
Jump to solution
02-09-2015 07:21 AM
ChrisTaylor
by
New Contributor II
‎02-09-2015 07:21 AM

Hello,

We are looking into setting up enterprise logins using ADFS for our organization, but have many existing users.  In the early days of our ArcGIS Online organization we thought we were being helpful by trying to match new users' accounts to their AD usernames.  I remember hearing somewhere along the way that if we ever went to enterprise logins we would have to copy any affected user's content to a new & different user, delete their old AD-matched account, then copy the content back to their true ADFS account once EL has been implemented.

My question is how exactly does this all play out?  There's no real development environment to AGOL so I'd like to know what I'm facing before I try it.  Do all of the current AD-matched accounts have to be eliminated before we configure EL and 'flip the switch' so to speak?  If ELs are enabled with AD-matched accounts still out there, will it cause conflicts or issues?

Thanks for your help.


Chris Taylor

GIS Web Developer

City of Kingston, ON

17 Replies
BrianO_keefe
by
Occasional Contributor III
‎06-17-2015 09:42 AM

Rebeca rebeca​ "What I see this doing is not maintaining another, and possibly weaker, set of usernames and passwords."

Is there better documentation on what this does or how somewhere? I need to know "for sure" what and how this works before it could even be considered. It APPEARS to be an amazing option that make a LOT of things simpler.

RebeccaStrauch__GISP
by MVP Emeritus
MVP Emeritus
‎06-17-2015 12:44 PM

​There is documentation, but I think the experiences Venus can talk first hand about how they implemented.  My comment about passwords without using active directory is because users can set their own passwords, of course, on AGOL.  I think a password rule option is available now, but I know I haven't implemented or forced my users to change their passwords yet......but hope to soon.  I'm sure they are not strong right now....my guess, for my users only.

0 Kudos
VenusScott
by
Occasional Contributor III
‎06-17-2015 09:59 AM

Brian,

We have over 13k City employees but we only have 100 AGOL users. Most of what I call our GIS Super Users are the only ones I have set up on AGOL. These super users create maps for their departments and make them "public" for viewing purposes which uses no license. If it needs to be limited to just a "group" or department, our GIS Super Users have an AD group created to secure the feature/map service or only the small group of users are then added to AGOL.

I have yet to reach the limit on the number of licenses we have so I can't tell you what AGOL would actually do. ESRI staff please chime in here?

BrianO_keefe
by
Occasional Contributor III
‎06-17-2015 10:43 AM

First off... I'm jealous.

Having that many power users would be so nice. We are still on the ground floor when it comes to establishing GIS for our organization. So you just give all users an account? Or do you have a "department" account for publishing/editing maps/data that are department specific?

0 Kudos
VenusScott
by
Occasional Contributor III
‎06-17-2015 12:42 PM

Thanks!

Here is what I have set up:

Groups consist of either the department of the GIS staff (whom I give ownership to) or ( if warranted) an application/project name for enterprise use. Users can belong to one or many of these groups.

I had to set up a custom role for limiting "credit" costing items on AGOL (uploading features, geocoding, etc.) and applied it to most users because we really want them to utilize our investment of ArcGIS servers. We use AGOL more for easy map and app creation and templates. The users in turn use our map/feature services from our servers.

I just discovered the "Admin Tools for ArcGIS Online" in the Marketplace.arcgis.com and will play with it to make my AGOL admin job more efficient. (New toy to play with, whoo hoo!)

VenusScott
by
Occasional Contributor III
‎06-17-2015 01:23 PM

I should also mention that there are circumstances where we still use the old "named users" access. One of these instances is where the named user "City of Phoenix" owns of all our public enterprise GIS map viewers. This way, any of us four AGOL admin's can maintain these maps/apps for coverage purposes.

0 Kudos
NeillJobe
by
Occasional Contributor II
‎12-08-2015 08:13 AM

Venus,

This may be of interest to you. Our Migrate Users tool, in Admin Tools for ArcGIS Online & Portal, can help you move content between existing users and newly created users when turning on ADFS - Check it

Hope this helps.

NathanEnge
by Esri Contributor
Esri Contributor
‎09-29-2015 02:56 PM

Of course, now that Portal is included with 10.3.1, to have non-authenticated users access the publicly (behind firewall) or as I call it privately-anonymous - would relieve the AGOL licensing restrictions in terms of number of users in your AGOL organizational subscription.

Plus, Portal uses IWA to authorize/authenticate against AD - so you don't have to use ADFS.

There are AGO tools available to move items between accounts. ago-assistant. However, normally I suggest republishing to Portal.