Migrate/Convert ArcGIS Users to SAML

ChrissyRothgeb · ‎03-11-2021

While our primary ArcGIS Online Org has used SAML logins for quite some time, we've had a secondary AGOL as well as an on-prem Portal that have used ArcGIS user accounts for some time before implementing SSO on them. Thus, we have many existing ArcGIS accounts, and those have identical names to their SAML counterparts because we'd gone with a similar naming convention early on ("username_org"). So we cannot simply have existing users log into the org using their SAML account because of the conflict.

My question is this: is there any way to convert an ArcGIS Online account (or local Portal accounts) to SAML type? I'm happy to do this using Python APIs if needed (I can see no way to do this through the web interface). If not, what is the best solution? Is it better to keep the old accounts and just have new users utilize SSO, or should I try and transfer data for each user to a temporary holding account, delete the original, then transfer to the SAML login once the user has gone through SSO once? Or is there a better way I haven't considered?

I'm just curious if anyone else has gone through this before. I'm not seeing anything about it on the web or forums, though maybe I'm just looking for the wrong search terms. Thank you for any suggestions or insight!

CalvinHarmin

After we established our proof of concept after setting up the Azure SAML settings, I put a pin in the project temporarily as we have had to tackle some other projects. So unfortunately I don't have much in the way of further testing or "aha's" to share.

But on my end I did notice some new avenues for testing:

When you have a SAML login configured and enabled, you will see some new options for adding users. One of these is :
- This lets you send an email to individual users, or any number of users via a list (CSV) with the fields of Email, Role, and User Type, that you can specify.
- The user gets an email with a link to basically log in with only the SAML login option and you can pre-configure the Role and User Type with CSV, or, individually, you can go ahead and configure the normal new user options for Add-On licenses, groups, etc.
- However, after you invite with this method, the user account doesn't automatically show up in the Members list. The user only shows up after the user logs in. So I'm not sure how much that helps besides just notifying the user that they should login. You would still have to transfer content, assign groups and licenses if you didn't already, etc.
- Regarding Transfer Content, there is an interesting new option I didn't notice before where you can 'Transfer member' (limited documentation) from one existing member account to another account. This includes the ability to transfer user Type, Role, and add-on licenses, and Content! However, strangely... it doesn't seem to transfer the user's group assignments to the other user in my quick test. So that may need some testing to see the limitations of what is- and isn't- transferred.
- I have heard elsewhere that ESRI support may be able to help transfer ESRI community and training records, but I don't know if that's true or how that would work if you have many users you want to transfer records like that.

So, in conclusion... you may have the best experience if you can retain your existing user accounts, and have the SAML login create a different username. Then you could at least perform certain 'transfer' options from one user to another, but again it doesn't seem to be complete in terms of tranferrring everything 😞 So that would need some more testing.

CityofAikenGISAdminAccount

Good find! I hadn't found the "transfer member". I'll have to look at that a bit more. Like you, I also found the additional "add member" options once activating SAML. I've tested "invite members to join using their org specific logins"... this worked fine, but like you indicated, you have to wait for them to login to do anything (assign groups, permissions, etc.). I also tested "add members using their org specific ID without sending invite" - that actually worked really slick. I created a new user using this method, and followed the naming convention used by our SSO. Once created, I used scripts to set role, license type, and group assignments based on the pre-existing user (the user is a field editor, so no owned content to transfer). This worked very well. This way I was able to do what I needed to, not needing to wait on them, and they didn't need to wait on me either.

I did find one additional thing that I'm toying with before working on migrating users with content... update enterprise user to update the idpname. https://developers.arcgis.com/rest/enterprise-administration/portal/update-enterprise-user/ I did a quick search and couldn't tell if this was exposed for AGOL orgs or just enterprise portal, so I put in a tech support ticket to get some advice. I also want to see if there is a way via python to set this property for named users (even if only in portal this could help) if it is a property that exists but is not populated for named users. I can't imagine they made a completely different class for users generated via SAML/SSO versus named users. Just a playing around kind of idea. Not sure if it will get traction or not.