Select to view content in your preferred language

Single sign-on (SSO) Might Impact Students More Than You Thought

750
8
07-18-2024 03:33 PM
Labels (1)
JianChen
Regular Contributor

The single sign-on (SSO) authentication method allows users to securely authenticate with multiple applications and websites by using just one set of credentials, usually an institute-issued one. Yesterday at the ESRI User Conference, I was told by ESRI Reps that ESRI would enforce SSO beginning January 1st, 2025 and all other licensing options would be gone. This news shocked me with such a short time turnaround. I would like to express my concerns here.

Of course, SSO is convenient and safe. We don't need to remember two separate sets of credentials for My ESRI and ArcGIS Online. But the downside is also obvious: you cannot assume you always have a reliable internet connection. Our campus is located in a tornado-threaten area. Last year alone, our campus experienced severe campus-wide (sometimes city-wide) internet outages for various of reasons such as weather, accidents, equipment failure, etc. Most of those internet outages lasted several hours or even longer. More importantly, not all our students have reliable internet connection at homes. Previously, single-use license works well for our GIS major students who need to access to ArcGIS Pro frequently from their own computer. Many of our students have multiple jobs besides being a full-time students because of financial burden. They might not have reliable internet at home. I remember some of my former students drove to campus and stayed in the parking lot so that they can have reliable WIFI if they were taking an online quiz or exam during the pandemic. Aftere pandemic, they no longer need to be stucked in the parking lot, but it is prevalent among students to leverage the free internet connectivity on campus. It is probably understandable to take a quiz or exam, but it might be too much due to the SSO requirement of ArcGIS Pro. My students need to work on ArcGIS Pro several hours at least for one single assignment.

I wish single-use license option can last longer, much longer so that we can have some alternatives for students who need it or in the filed we don't have internet connection.

 

8 Replies
BrianBaldwin
Esri Regular Contributor

Hey there Jian @JianChen - thanks for coming by the booth and visiting us at the UC!

So - just to clarify a little bit, it sounds like there might have been a misunderstanding or someone just stated something incorrectly or wrong.

  1. Esri will not enforce SSO/SAML as the only sign-in method at any date.
    1. We are encouraging the education community to enable SSO, to the make the license administration and user experience easy, but understand that it is not appropriate for all users or use cases.
  2. Esri IS removing Single-Use/Concurrent Use licensing from education licenses.
    1. Users can still use the 'built-in' named user functionality and there is no need to enable SSO for this.

With either of these options, users can 'check-out' a license of ArcGIS Pro for offline use if that capability is enabled in the organization.

Let me know if there is anything you heard anything else that sounded a bit upsetting (or good!) and we can definitely get back to you to clear it up or explain the rationale.

-----------------------------------

Brian Baldwin, Esri Inc., Lead Solution Engineer
https://www.linkedin.com/in/baldwinbrian
JianChen
Regular Contributor

Hey Brian,

Thanks for your reply! We all know that the experience with the named user account is not something I can be proud of. Students need to memorize their credentials for both MyESRI and ArcGIS Online. SSO is definitely more convenient in that sense. I heard to implement SSO is not very easy, and we might need to add suffix for our institution credentials when we login with SSO. Out ITS is kind of reluctant to take that route if that is the case. We scheduled a meeting next Monday with ESRI Support Services to discuss the implementation details. The head of our university's ITS will be on that call as well. Hopefully, after that meeting, we will have better idea how realistic to implement SSO for ESRI products usage.

Anyway, I heard the deadline is the end of this year, either is removing single-use/concurrent licensing, or implementing SSO. I understand that the capability of checking-out license has been there for a while but haven't been widely used on our campus yet. Is it true that this capability is still there after all the previous licensing options are gone. Is there any cap about how many "licenses" can be checked out, say after the beginning of the next year?

0 Kudos
BrianBaldwin
Esri Regular Contributor

@JianChen - Thanks for the reply - 

Couple of things - 

  • We recommend that students don't have MyEsri access - this is really for license administrators, etc. The only reason to go into MyEsri is to manage the university account/etc. 
    • The confusion here might be enabling 'Esri Access' for students on their ArcGIS Online accounts - as this enables them to take training, etc. But - this is seperate from MyEsri.
  • In terms of user accounts - SSO definitely helps with removing another account/PW that students need to remember - it also goes in line with the vast majority of IT best practices - to ensure that only students/staff at the university have access to your accounts/resources.
  • For the SSO setup - it honestly takes about 5 minutes. The caveat with this is just thinking through some of the default settings for new users, licenses, etc. We have a number of best practices published on this to assist with these discussions:
  • Yep! The license check-out process is still there and will be with the license changes to named user and SSO. If you wanted - a university could check out 50,000 licenses. Meaning to say, there is no limit.

-----------------------------------

Brian Baldwin, Esri Inc., Lead Solution Engineer
https://www.linkedin.com/in/baldwinbrian
0 Kudos
JianChen
Regular Contributor

Hey Brian,

Thank you so much for your response. Here is the follow-up about the meeting we had with ESRI Support Services. During the virtual meeting, our IT colleagues tried different ways to send a test student email account an invitation, which was intended to allow students to sign-in to ArcGIS Online using the SAML credentials. However, we always got the error message "Error in accepting invitation for user... Cannot accept invitation. User email must match invitation email". This case has been elevated to a senior staff to handle. FYI, the case # is 3677938 and Samule is the current support analyst (If this kind of information is useful for you). Samule is trying to schedule another meeting with us soon. 

0 Kudos
JianChen
Regular Contributor

An update here for the error message mentioned above. ESRI support analyst still couldn't figure out what went wrong. I guess somehow ArcGIS Online messed up the name ID in SAML setting. From the tracing, everything looks fine, but the system automatically generated ID name with the Enterprise ID plus the domain name, which makes the username not recognized by the SSO. Even we went back to change the configuration multiple times for the Name ID format to match the Name ID in the live session with ESRI support. But, the issue persisted, and the system still generated the username unexpectedly when we tried to add a new user. The Name ID in ArcGIS Online automatically generates username with format of Email.Name_OrgName. For example, for a user email with tststudent@una.edu, we specified only use email prefix to generate the user ID, but the ended user ID is like "tststudent_UNAGeo". The last part is our domain name on ArcGIS Online.

No clue yet.

0 Kudos
BrianBaldwin
Esri Regular Contributor

Thanks for all of the details - and very sorry that support was not able to resolve this yet.

I ensured that your Account Manager is aware of this - and I'll see what we can do to raise the visibility of this and work towards getting it resolved for you.

-----------------------------------

Brian Baldwin, Esri Inc., Lead Solution Engineer
https://www.linkedin.com/in/baldwinbrian
0 Kudos
JianChen
Regular Contributor

Hey Brain,

We strongly feel this is a bug because it automatically adds suffix no matter what configurations we applied. Below is the support analyst's follow up and our IT head's response:

Follow-up from ESRI Support analyst:

=================================================================

Have you found out why the username continues to be generated incorrectly from the confirmed setting?

Yes, the format of the username that is generated is not controlled by the configuration of new member defaults in ArcGIS Online. The new member default settings only affect username that is created explicitly in ArcGIS Online without SAML login set up. The SAML configurations allows your IdP is in control of the username format. The most important thing in ArcGIS Online when setting up new member with the option "Invite members to join using their organization-specific logins" is to ensure that the email address inputted in ArcGIS Online should match the email address where the invitation is sent.

Most likely, the issue is happening because the method Invite members to join using their organization-specific logins should be used in conjunction with "Upon invitation from an Administrator" as opposed to the "Automatically" option you have set up  in "Edit SAML" under "Security" configuration in your organization settings. 

The "Automatically" option allows members to join the organization by signing in with their SAML or OpenID Connect login. So, when user try to sign-in with their SAML login, an ArcGIS Online account is automatically created for them. Make sure they attempted to sign-in to the organization specific ArcGIS Online domain.

Please let me know the outcome when the new member sign-in to ArcGIS Online with their SAML login.

=================================================================

Our CIO's response:

=================================================================

This issue is still happening because the system is automatically appending “_UNAGeoDept” to every SAML user that I create.  I changed the setting you mentioned and sent an invitation – SAME ERROR AS BEFORE.  I created the SAML user manually with an invitation – SAME ERROR AS BEFORE.  I created a user without an invitation and then tried to log in.  I received a slightly different error (screenshot below) but it is 100% related as it appends the same suffix.  I even attempted to create the SAML username as the full email address and it still appended the suffix.

You mentioned that “The most important thing in ArcGIS Online when setting up new member with the option "Invite members to join using their organization-specific logins" is to ensure that the email address inputted in ArcGIS Online should match the email address where the invitation is sent.”. – YOU HAVE A RECORDING WHERE WE DID THIS EXACTLY AS NOTED.

As I noted before, we have dozens of other SAML systems configured and working but none of them append information to the username.  This is a bug within your system and we request this to be elevated to someone who can correct it.

=================================================================

JianChen_0-1724121088345.png

0 Kudos
BrianBaldwin
Esri Regular Contributor

@JianChen - thanks for continuing to follow-up. Your Account Manager is working to pull in some folks on our SAML/integration side to see what else we can do.

-----------------------------------

Brian Baldwin, Esri Inc., Lead Solution Engineer
https://www.linkedin.com/in/baldwinbrian
0 Kudos