Migrate/Convert ArcGIS Users to SAML

ChrissyRothgeb · ‎03-11-2021

While our primary ArcGIS Online Org has used SAML logins for quite some time, we've had a secondary AGOL as well as an on-prem Portal that have used ArcGIS user accounts for some time before implementing SSO on them. Thus, we have many existing ArcGIS accounts, and those have identical names to their SAML counterparts because we'd gone with a similar naming convention early on ("username_org"). So we cannot simply have existing users log into the org using their SAML account because of the conflict.

My question is this: is there any way to convert an ArcGIS Online account (or local Portal accounts) to SAML type? I'm happy to do this using Python APIs if needed (I can see no way to do this through the web interface). If not, what is the best solution? Is it better to keep the old accounts and just have new users utilize SSO, or should I try and transfer data for each user to a temporary holding account, delete the original, then transfer to the SAML login once the user has gone through SSO once? Or is there a better way I haven't considered?

I'm just curious if anyone else has gone through this before. I'm not seeing anything about it on the web or forums, though maybe I'm just looking for the wrong search terms. Thank you for any suggestions or insight!

PeterKnoop · ‎03-18-2021

Sorry! I missed that part. I am not aware of a way to convert an accounts type.

We did have a few like that in the early days, as we didn't understand the naming convention at the time either. We ended up creating a temporary arcgis account, changing ownership of the user's items/groups to the temp account, deleting the user's arcgis account, creating the user's enterprise account, and changing ownership once more on everything to the user's enterprise account.

View solution in original post

PeterKnoop · ‎03-18-2021

If you want to automate this process with the ArcGIS API for Python, then you might start by programmatically creating the enterprise accounts. If you have their firstname, lastname, and idpusername, then you can use gis.users.create, along the lines of:

user = gis.users.create(
    username = 'pat_org',    # The user's username according to your idp, combined with the shortname for your ArcGIS Online organization.
    password = 'None',
    firstname = 'Pat',
    lastname = 'Smith',
    email = 'pat@somecollege.edu',
    role = 'org_publisher',
    provider = 'enterprise',
    idp_username = 'pat',    # The user's username according to your idp.
    level = '2',
    user_type = 'GISProfessionalAdvUT'
)

If you're using New Member Defaults, then you should double-check that the account you created above is provisioned with settings you are expecting. For various versions of the ArcGIS API for Python, gis.users.create has failed to honor some of the New Member Default settings. In which case you could add some more to your script to programmatically deal with what got missed (e.g., allocate credits, enable Esri Access, assign licenses.)

Also, you can only chose from the default roles when specifying the role for gis.users.create. If you use a custom role for your users, then you could add a next step that changes the user's role to that custom role.

After you have created the new account, then you can also script changing the ownership of all of the user's items and groups from their old arcgis account to their new SAML/enterprise account.

If you have a lot of users with a lot of content/groups to move, then you probably want to schedule some downtime for your system and inform the impacted users well in advance. During that downtime, while you are running your script to create the accounts and change ownership, you might want to temporarily disable the ability of those users to login, and then re-enable it when you are all done; you don't want them accidentally changing things in the middle of the process.

ChrissyRothgeb · ‎03-18-2021

Awesome - thank you! I may very well use this approach. Is there any way to actually convert the accounts from AGOL to SSO under the hood? Unfortunately, the old names will conflict with the new due to us being "proactive" in our account naming. Ah, the best laid plans...

PeterKnoop · ‎03-18-2021

Sorry! I missed that part. I am not aware of a way to convert an accounts type.

We did have a few like that in the early days, as we didn't understand the naming convention at the time either. We ended up creating a temporary arcgis account, changing ownership of the user's items/groups to the temp account, deleting the user's arcgis account, creating the user's enterprise account, and changing ownership once more on everything to the user's enterprise account.

Thomas_Puthusserry · ‎02-28-2025

We are in a similar situation and would like some guidance on this.

@PeterKnoop any suggestions would be very helpful.

1. We have over 350 users to migrate in AGOL (currently all of them have built-in user name). This is not with email so the new SAML account will be different.

2. Is there a way the user's account IdPUsername can be updated to use the new username via Python API? For example, there is an option to do this in Enterprise: https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user/

3. What is the best option to migrate the contents / access to groups etc?

Is there any python scripts available which can be used to migrate?

CityofAikenGISAdminAccount · ‎07-25-2025

Thomas - did you get this figured out? We have AGOL sign on for all of our accounts, and just enabled SAML yesterday. I'm looking to do exactly what you were talking about. I see the documentation and it seems to apply to enterprise (update enterprise user) and I'm wondering if it can be applied in AGOL as well. The only other option I'm seeing is to create all new users and migrate content. From what I've read in the forums thus far, there seems to be the potential for things not all being migrated to look exactly the same (maps with layers, etc.). I'm concerned bc we have users with many folders containing content, many apps referencing maps (of course), and most maps with multiple layers, and all with different types of sharing enabled. So... many levels of complexity to contend with.

Any thoughts, experiences, or advice you'd be willing to share would all be helpful.

Thank you.

CalvinHarmin

Checking in with identical use case:

We've got Azure AD SSO enabled for ArcGIS Online. We're in a testing phase. I've hit a fork in the road...

We are already using the naming convention for AGO usernames where it follows our Town email base name, which is first initial / last name, follow by _tofv , since that's our AGO tenant short name.

Example in my case: charmin_tofv

That's what we want to continue to use, but upon first Azure AD SSO login, there is not a method I can find to 'map' the existing user to the Azure AD login. So on AGO side it creates, for example, a new charmin_tofv2 user automatically.

Can anyone confirm if there is still no viable a method of 'mapping' Azure AD to existing accounts like this, so we don't have to wipe out and recreate users? That process also breaks any collaboration invites they may have had, aside from the content migration issue.

CityofAikenGISAdminAccount

Calvin

I started implementing SAML, didn't have a chance to move content at the time. SAML worked for testing purposes for logins to be auto-generated. However I've not found any way to map new SAML users (batch generated or generated at login) to existing users. The only thing I've found (I'll be circling back to this project VERY soon to test/implement) is to use Python and some ESRI samples and some scripts I found while scouring and am putting together as much capability as possible to truly transition content. I've seen multiple examples where (in reading a script sample from ESRI or one a user shared) I could see it would do a portion of the work, but not all. Some examples include transfer ownership of items (maps, layers, etc.) but dump it all into their main user folder, or add the new user to the same groups but not set the permissions (e.g. make them a manager of the group, etc.), and surely other things like add-on license assignment, etc. Frankly, it is a scary thing with the level of complexity and associated relationships between users and items and permissions and properties that I'm sure during the actual full-on transfer I will miss/drop something.

I'm not liking this at all.

CalvinHarmin

I am also working on a similar thing with ArcGIS Python API, so I can collate all existing relevant user info for licensing (arcgis pro), groups, user level, roles, etc. So hopefully I can re-apply all of that to the new user automatically once I start nuking accounts and restoring them after SSO-login occurs.