Why Single Sign On for academia (enterprise logins)

2999
5
10-17-2017 11:15 AM
Labels (2)
Esri Regular Contributor
5 5 2,999

For a while we have recommended that the best approach for managing an ArcGIS Online or ArcGIS Enterprise portals is to enable enterprise logins, commonly referred to as Single Sign On (SSO). The information below may be useful for those who are not familiar, or have not implemented it, yet.

  • SSO explained
    • SSO enables a user to use the same set of credentials for signing in to multiple applications. This means that faculty and students can use the same credentials coming from their institution’s enterprise identity store to login to ArcGIS Online or ArcGIS Enterprise.
    • What happens in the background? An ArcGIS Account still gets created for identity purposes that is linked to your enterprise credentials. This is not visible to the user.
    • SSO can be setup for both ArcGIS Online as well as ArcGIS Enterprise, both referred to as “portal”, and can be setup for multiple portals.

 

  • What will be alleviated with SSO 
    • Ease of access – one set of credentials will be used.
    • User management – this is HUGE for academia. Enabling SSO means that no additional account logins need to be created for ArcGIS Online or ArcGIS Enterprise. We don’t have to add students to the portal manually (or via script), and share credentials with them.
    • This could solve various inefficiencies associated with creating and managing multiple accounts, which takes time and thus is an incurred cost.
    • Students have one account only, if one portal is used, which makes it easy to save projects and build their geosopatial portfolio. Without SSO, some institutions create different student accounts for different courses, which means that workflows would need to be in place to transfer student content.
    • When a student is no longer attending the university, and have been removed from the institution's identity store, access can be prevented. They will no longer be able to login to the ArcGIS Online or ArcGIS Enterprise portal. As an administrator, it would be easy to find disabled accounts, determine what would be done with their content, then remove the student account from the portal. 

 

  •  What you would still need to do (i.e. what problems it does not solve)
    • Manage groups – a group for a course or project would still need to be created, and users added to it. SAML-based group membership functionality is now available. 
    • Manage content when student or faculty leaves the institution, if desired. The recommendation is to do nothing, as users may rely on this content. Geo Jobe Admin Tools, ArcGIS Online Assistant and the ArcGIS API for Python could be useful for managing content, and many other tasks, associated with portal management.

 

  •  How do we do it
    • Work with your IT department and refer to the documentation – these are industry standards, and IT staff will be aware of them.
    • Attached is a template letter to Campus IT staff that could be used to request SSO.
    • Esri Technical Support is there to help if any issues arise.
    • Note: Esri technology supports identity federation (allowing the use of identification coming from multiple enterprise systems) – as of June 2018 ArcGIS Online release. 

 

 

 Further feedback is welcome!

5 Comments
Occasional Contributor III

This has been a useful post for working with our IT partners to successfully implement SSO for AGO. Now that it works, it occurs to me that a boilerplate statement template to users about SSO and it's implications for new AND existing users would also be fantastically useful. Something that helps explain some of the dynamics you highlight above, but for users. I can imagine the following questions will be coming soon after our announcement:

"I've been using an Esri GlobalID for logging into AGO. How do I migrate my content to the new username?"

"I've recently left Stanford and I'm no longer able to access my content on AGO! How can I recover it?"

And so on...

Stace

Esri Regular Contributor

Great questions, Stace. To have a such boilerplate statement to users, one would need to identify how the transition from arcgis-only, to enterprise accounts, will take place. We encourage transparently migrating the accounts for users, and doing it all-at-once. All the user needs to know, from their perspective, is that they now need to use their university credentials after some announced downtime. Other approaches are possible, but will result in extra work, and possibly confused users. 

Below are a few ideas for implementation strategy:

  •      Use the ArcGIS API for Python to facilitate this transition and transfer content from a source user (arcgis-only) to a target user (enterprise user) Please take a look at the following sample that does exactly that, and was specifically written with this workflow in mind. An added benefit of using this approach is that group membership gets maintained as well. 
  •       Communicate with users - notify users ahead of time of impending transition to Enterprise logins, and set a timeframe when ArcGIS Online will be unavailable to them. Consider noting the benefits they will be gaining. 
  •       Remind users of new login workflow - now they will be using their enterprise credentials. 
  •       You would need to create mapping between arcgis-only and enterprise accounts. 

What the above approach/script would do:

  •      For each arcgis-only, non-admin account, create an enterprise account.
  •      Reassign group ownership.
  •      Reassign content ownership.
  •      Disable arcgis-only account - deleting accounts is more complex, as you have to revise entitlements and disable Esri Access.

If you are just getting started, and not ready to enable enterprise logins, yet, consider the following to help with a smoother migration down the road. 

  •      Create arcgis-only usernames that match enterprise usernames (do not add the org suffix, such as gmiller__myuniversity) - currently ArcGIS Online will not protect the namespace for an enterprise account. 
  •      The above makes it easier to keep track and look up users in other systems, such as LMS/SIS, campus directory, etc. 

We welcome any further thoughts and if anyone has been through this process before, please share any experiences and approaches.

MVP Esteemed Contributor

Create arcgis-only usernames that match enterprise usernames (do not add the org suffix, such as gmiller__myuniversity) - currently ArcGIS Online

That's interesting, we implemented SSO and the usernames the system creates have the suffix: <email_address>_sdmines.

Esri Regular Contributor

That is correct, once you enable enterprise logins, you will get the suffix, i.e. cprice_sdmines.

What the above suggested is that if you are creating an arcgis-only account, before you enable enterprise logins, you do not add the suffix. If you do, this could create a namespace conflict, once you implement enterprise logins, two accounts cannot be named the same and you would have to address that. 

Occasional Contributor

Hi, can you confirm that what you said here:

As an administrator, it would be easy to find disabled accounts, determine what would be done with their content, then remove the student account from the portal. 

Has to be done manually?  I am wondering if there is an automated way to remove Enterprise/Single Sign-On users?