Hi. I'd like to simplify the sign-in experience for end users. We have integrated with ADFS, so users can sign in using their regular work domain accounts, but there are some issues and its often confusing for new users or infrequent users. There is some variability depending if they are on a browser vs signing in to Collector, etc... but the following screenshots show what a new user might see.
1. For our apps, they need to use their enterprise account, so we need to train them to ignore the prominent sign in interface and instead, click the button below.
2. The user needs to know the domain part of our url....
3. The user needs to know that they should use their Bellevue account
4. Finally, they get to the point of actually signing in.
5. To complicate matters, the map or feature service may be secured (we use LDAP or windows security). If so, the user will be prompted to authenticate against the service, which looks something like below. The password is the same as what they input for AGOL signin, but the username in this case is just the username, rather than the full email.
Now, that's a lot to ask of a casual user. They don't really understand why they need to sign in twice, and why the username is different for the different sign-in dialogs. So, looking for ways to simplify this. One option is to configure the organization sign in options to only show the enterprise login.
This would be a good improvement, but there is one issue. Several times, we have had ADFS down temporarily, and when that happens, we can't use our enterprise accounts to sign into AGOL and administer the organization. Also, our ADFS certification expires once a year, and if we fail to update our organization before it expires, we are again unable to use our org account. So, as a backup, we have one AGOL account with admin privileges, that we can use when ADFS is not working. Due to this issue, we are hesitant to change the sign in options, because we would have no way to access and administer our account in situation mentioned above.
1) Sign in experience for users is burdensome. ESRI should look into ways to simplify this. Perhaps allowing AGOL authentication to pass through to map service authentication. Also, allow administrators to customize the sign in interface.
2) If we change the sign in options so that users can only use their Bellevue accounts, how could we handle cases where those accounts are not working due to issues with ADFS? Is there another backdoor way to get into our accounts?
3) Are others dealing with this issue? If so, what strategies have you adopted?