Migrate/Convert ArcGIS Users to SAML

964
3
Jump to solution
03-11-2021 06:38 AM
Labels (1)
ChrissyRothgeb
New Contributor III

While our primary ArcGIS Online Org has used SAML logins for quite some time, we've had a secondary AGOL as well as an on-prem Portal that have used ArcGIS user accounts for some time before implementing SSO on them. Thus, we have many existing ArcGIS accounts, and those have identical names to their SAML counterparts because we'd gone with a similar naming convention early on ("username_org"). So we cannot simply have existing users log into the org using their SAML account because of the conflict.

My question is this: is there any way to convert an ArcGIS Online account (or local Portal accounts) to SAML type? I'm happy to do this using Python APIs if needed (I can see no way to do this through the web interface). If not, what is the best solution? Is it better to keep the old accounts and just have new users utilize SSO, or should I try and transfer data for each user to a temporary holding account, delete the original, then transfer to the SAML login once the user has gone through SSO once? Or is there a better way I haven't considered?

I'm just curious if anyone else has gone through this before. I'm not seeing anything about it on the web or forums, though maybe I'm just looking for the wrong search terms. Thank you for any suggestions or insight!

0 Kudos
1 Solution

Accepted Solutions
PeterKnoop
Occasional Contributor III

Sorry! I missed that part. I am not aware of a way to convert an accounts type.

We did have a few like that in the early days, as we didn't understand the naming convention at the time either. We ended up creating a temporary arcgis account, changing ownership of the user's items/groups to the temp account, deleting the user's arcgis account, creating the user's enterprise account, and changing ownership once more on everything to the user's enterprise account. 

View solution in original post

3 Replies
PeterKnoop
Occasional Contributor III

If you want to automate this process with the ArcGIS API for Python, then you might start by programmatically creating the enterprise accounts. If you have their firstname, lastname, and idpusername, then you can use gis.users.create, along the lines of:

user = gis.users.create(
    username = 'pat_org',    # The user's username according to your idp, combined with the shortname for your ArcGIS Online organization.
    password = 'None',
    firstname = 'Pat',
    lastname = 'Smith',
    email = 'pat@somecollege.edu',
    role = 'org_publisher',
    provider = 'enterprise',
    idp_username = 'pat',    # The user's username according to your idp.
    level = '2',
    user_type = 'GISProfessionalAdvUT'
)

If you're using New Member Defaults, then you should double-check that the account you created above is provisioned with settings you are expecting. For various versions of the ArcGIS API for Python, gis.users.create has failed to honor some of the New Member Default settings. In which case you could add some more to your script to programmatically deal with what got missed (e.g., allocate credits, enable Esri Access, assign licenses.)

Also, you can only chose from the default roles when specifying the role for gis.users.create. If you use a custom role for your users, then you could add a next step that changes the user's role to that custom role.

After you have created the new account, then you can also script changing the ownership of all of the user's items and groups from their old arcgis account to their new SAML/enterprise account.

If you have a lot of users with a lot of content/groups to move, then you probably want to schedule some downtime for your system and inform the impacted users well in advance. During that downtime, while you are running your script to create the accounts and change ownership, you might want to temporarily disable the ability of those users to login, and then re-enable it when you are all done; you don't want them accidentally changing things in the middle of the process.

ChrissyRothgeb
New Contributor III

Awesome - thank you! I may very well use this approach. Is there any way to actually convert the accounts from AGOL to SSO under the hood? Unfortunately, the old names will conflict with the new due to us being "proactive" in our account naming. Ah, the best laid plans...

0 Kudos
PeterKnoop
Occasional Contributor III

Sorry! I missed that part. I am not aware of a way to convert an accounts type.

We did have a few like that in the early days, as we didn't understand the naming convention at the time either. We ended up creating a temporary arcgis account, changing ownership of the user's items/groups to the temp account, deleting the user's arcgis account, creating the user's enterprise account, and changing ownership once more on everything to the user's enterprise account.