Community

Migrating AGOL SAML Identity Provider from on-premise ADFS to Azure ADFS

2322
6
08-03-2020 08:31 AM
MatthewRantala1
by
New Contributor III
‎08-03-2020 08:31 AM

We are looking at switching the single sign-on identity provider that our organizational AGO account uses from our on-premise ADFS server to Azure ADFS and are wondering if that can be a seamless transition if the NAMEID is the same in both configurations. We're hoping that accounts will persist after we switch and we won't need to modify ownership and/or group membership.

Thanks for any information, site, or personal experience!

Configure Active Directory Federation Services—ArcGIS Online Help | Documentation 

Azure Set-Up: Tutorial: Azure Active Directory integration with ArcGIS Online | Microsoft Docs 

Tags (2)
6 Replies
NorthSouthGIS
by
Occasional Contributor II
‎01-05-2021 11:39 AM

Unfortunately, you must create whole new accounts, transfer content and group membership, and delete old accounts. There is no way to convert existing accounts at this time. Keep in mind, you can maintain both the "old" way of logging in (AGOL named users) and the "new" way (SAML) at the same time, so make sure to train your users on logging in correctly if you choose not to disable Esri logins.

0 Kudos
MatthewRantala1
by
New Contributor III
‎01-12-2021 03:49 PM

Actually this turned out not to be the case for us-I may  not have been clear but we were already using SAML via an on-premise ADFS server so we were not switching from named users to SAML but switching SAML providers.

We were able to seamlessly switch from our on-premise ADFS server to Azure without having to create new users or re-assign content/groups. I wasn't the one that worked on it but my understanding is the accounts are tied to email account (email account served as a primary key) and as long as the SAML was consistent, AGO was able t.

We tested first on our Portal installation and determined the specifications of what needed to be done and then switching AGO took just a few minutes.

GeraldCoates1
by
New Contributor II
‎03-05-2021 01:20 PM

We are scheduled to do this on Saturday.  I was told that we had to create new accounts by several people.  I greatly appreciate you posting this.  It will hopefully help me.  Thank you!

0 Kudos
MatthewRantala1
by
New Contributor III
‎03-05-2021 01:28 PM

Good luck!

As I mentioned above, I didn't do the work myself, but since we were able to essentially replicate our ADFS configuration in Azure, it did work seamlessly. If I understood right, our email address basically was our key identifier. We did test on our portal installation first so whatever minor quirks existed were figured out before trying AGO.

EdgarWIparraguirre
by
New Contributor II
‎03-25-2021 09:18 AM

As long as the NameID claim definition does not change, there is no need to create new users. I guess it is safe to say that de username in AGOL/Portal is nothing else than the NameID. On ADFS / Azure AD NameID is normally coupled to the UserPrincipalName (most of the times equal to the e-mail address but not neccessarily).

GeraldCoates1
by
New Contributor II
‎03-26-2021 04:52 AM

Thanks for the info.  You are correct.  We made the change and did not have to create new accounts.  There was a couple of settings that we had to change on the Azure ADFS connection but everything worked.  Thanks for taking the time to respond.

0 Kudos