A language for marking up security assertions(SAML) is an open standard used to securely exchange authentication and authorization data between an organization-specific identity provider and a service provider (in this case, yourArcGIS Enterpriseorganization). This approach is known asSAMLWeb Single Sign On.
The organization is in accordance withSAML2.0 and integrates with supporting identity providersSAML2 Web Single Sign On. Advantage of placementSAMLis that you do not need to create additional logins for users to access your organization; instead, they use the login already set up in the identity store. This process is described throughout the documentation as setting up organization-specific logins.
Optionally, you can provide the portal with metadata aboutSAMLgroups in your identity store. It allows you tocreate groupsin the portal that use the existing onesSAMLgroups in your identity store.
When members log into the portal, access to content, items and data is controlled by the membership rules defined inSAMLgroup. If you do not provide the necessarySAMLgroup metadata, you can still create groups. However, membership rules controlArcGIS Enterprisea portal, not an identity store.
Note:
You can alsoconfigure a federation of SAML-based identity providerswith your portal.
MatchingArcGIS Onlineusernames inArcGIS Enterpriseportal
If the sameSAML-a compliant identity provider is used in yourArcGIS Onlineorganization and your portal, organization-specific usernames can be configured to match. All organization-specific usernames in theArcGIS Onlinehave the short name of the organization appended to the end. The same organization-specific usernames can be used in your portal by defining themdefaultIDPUsernameSuffixproperty inArcGIS Enterpriseportalsecurity configurationand setting it to match the organization's short name. This is required if editor tracking is enabled on a feature service edited by organization-specific users from bothArcGIS Onlineand your portal.
SAML login
ArcGIS Enterprisesupports organization-specific logins initiated by a service provider (SP) and organization-specific logins initiated by a service provider (IdP). The sign experience differs between everyone.
Applications initiated by the service provider
With provider-initiated logins, users directly access the portal and are presented with login optionsembedded accounts(managed by the portal) or accounts managed in aSAML-compliant identity provider. If the user choosesSAMLidentity provider option, they are redirected to a website (known as login manager) where they are asked to provide theirSAMLusername and password. After verifying user login credentials,SAML-the compliant identity provider informsArcGIS Enterpriseverified identity of the user who logs in and the user is redirected back to the portal website.
If the user selects the built-in account option, the login page forArcGIS Enterprisethe portal website opens. The user then enters their embedded username and password to access the website. You can use the built-in account option as a protection against error in caseSAML-a matching identity provider is not available, provided the option to sign in with an ArcGIS account was notdisabled.
Applications initiated by the identity provider
With identity provider-initiated logins, users directly access the login manager and log in with their account. When a user submits their account information, identity providers send a SAML response directly toArcGIS Enterprise. The user then logs in and is redirected to the portal website where they can immediately access resources without having to log in to the organization again.
The option to sign in using built-in accounts is not available in the sign-in manager. To log into an organization with embedded accounts, members must access the portal website directly.
Note:
If SAML logins are not working due to identity provider issues and the built-in accounts option is disabled, you cannot access yourArcGIS Enterpriseportal until you enable this option again. Seethis question in Common Problems and Solutionsfor instructions.
SAML identity providers
ArcGIS Enterprisesupports all SAML-compliant identity providers. You can find detailed instructions on configuring certain common SAML-compliant identity providers atArcGIS/IdP GitHub repozitorij.
The process of configuring an identity provider withArcGIS Enterpriseis described below. Before proceeding, it is recommended that you contact the administrator of your SAML identity provider to obtain the parameters required for configuration.For example, if your organization uses Microsoft Active Directory, the responsible administrator is the person to contact to configure or enable SAML on the organization-specific identity provider side and obtain the necessary configuration parameters on the portal side.
Mandatory information
ArcGIS Enterpriserequires certain attribute information to be received from the IdP when a user logs in usingSAMLapplications. TheNameIDattribute is required and must be sent by your IdP toSAMLanswer to make the federation work. FromArcGIS Enterpriseuse valueNameIDto uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IdP logs in, the new user with usernameNameIDwill createArcGIS Enterpriseorganization in its user store. Allowed characters for the value it sendsNameIDare alphanumeric, _ (underscore), . (period) and @ (at sign). All other characters will be escaped to include underscores in the username he createdArcGIS Enterprise.
ArcGIS Enterprisesupports the influx of the user's e-mail address, group membership, first and last name fromSAMLidentity provider.
Mapping of user profiles
The following table lists which SAML assertion values map to which portal user properties:
| ArcGIS user property | The request attribute defined by the IdP |
|---|---|
Email address | email address post urn:oid:0.9.2342.19200300.100.1.3 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
To do | dataName urn:oid:2.5.4.42 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Last name | last name urn:oid:2.5.4.4 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/prezime |
groups | Group groups the role Roles Member member http://wso2.com/claims/role http://schemas.xmlsoap.org/claims/Group urn:oid:1.3.6.1.4.1.5923.1.5.1.1 urn:oid:2.16.840.1.113719.1.1.4.1.25 Note:Only one attribute name should be specified for multiple group requests. |
Configure the portal with a SAML identity provider
You can configure your portal so that users can log in using the same username and password they use with your existing on-premises systems. Before setting up organization-specific logins, you mustconfigure the default user typefor your organization.
- Log in to the portal website as an administrator of your organization and clickOrganization>settings>Safety.
- uApplicationsclick the sectionNew SAML loginand selectOne identity provideroption. OnList the propertiespage, enter the name of your organization (for example,Grad Redlands).
When users access the portal web page, this text is displayed as part of the SAML login option (for example, Using a City of Redlands account).
- ChooseAutomaticorAt the request of the administratorto specify whether users can join the organization automatically or by invitation.
The first option allows users to log into an organization with their organization-specific login without administrator intervention. Their account is automatically registered with the organization the first time they sign up. The second option requires the administrator to register the necessary accounts in the organization usingcommand line utility. Once the accounts are registered, users can log in to the organization.
Advice:
It is recommended that you designate at least one SAML account as an administrator for your portal and demote or delete itinitial administrator account. It is also recommended thatdisable the Create Account buttonon the portal website so that users cannot create their own accounts. For instructions seeSpecify an organization-specific account as an administratorsection below.
- Specify the source that the portal will access to obtain metadata information. This provides the necessary metadata information about your SAML-compliant identity provider. Instructions for obtaining metadata from certified providers can be found atArcGIS/IdP GitHub repozitorij. There are three possible sources of metadata information:
- URL— Specify a URL that returns metadata information about the identity provider.
Note:
If your identity provider includes a self-signed certificate, you may encounter an error when specifying HTTPS metadata URLs. This error occurs becauseArcGIS Enterprisecannot verify the identity provider's self-signed certificate. Alternatively, use HTTP in the URL or one of the other options below, or configure your identity provider with a trusted certificate.
- File—Load a file containing identity provider metadata.
- The parameters listed here— Enter metadata information about the identity provider directly by entering the following:
- Login URL (Redirect)— Specify an identity provider URL (that supports HTTP redirect binding) thatArcGIS Enterprisewill be used to allow the member to login.
- Login URL (POST)— Specify an identity provider URL (that supports HTTP POST binding) thatArcGIS Enterprisewill be used to allow the member to login.
- Confirmation—Provide a certificate, encoded in BASE 64 format, for the identity provider. This is an enabling certificateArcGIS Enterpriseto verify the digital signature in the SAML responses sent to it by the identity provider.
Note:
Contact your identity provider administrator if you need help determining the source of the metadata you need to provide.
- URL— Specify a URL that returns metadata information about the identity provider.
- Register the portal provider metadata with your identity provider to complete the configuration process and establish trust with the identity provider. To get metadata from your portal, do one of the following:
- uSafetysection onsettingstab for your organization click onDownload service provider metadatabutton to download the metadata file for your organization.
- Open the metadata URL and save it as.xmlfile on your computer. The URL ishttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=
, for example,https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token usinghttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL toGenerate tokenpage, specify the fully qualified domain name of the identity provider's server in theURL of the web applicationtext box. There is no other possibility, such asIP addressorThe IP address of the origin of this request, is supported and may generate an invalid token.
Instructions for registering portal service provider metadata with certified providers can be found atArcGIS/IdP GitHub repozitorij.
- Configure advanced settings as needed:
- Allow encrypted assertion—Indicate to the SAML identity provider thatArcGIS Enterprisesupports encrypted SAML assertion responses. When this option is selected, the identity provider will encrypt the assertion section of the SAML response. All SAML traffic to and fromArcGIS Enterpriseis already encrypted using HTTPS, but this option adds another layer of encryption.
- Enable signed request-HaveArcGIS Enterprisesign the SAML authentication request sent to the identity provider. Signing the initial application request sent byArcGIS Enterpriseallows the identity provider to verify that all login requests originate from a trusted service provider.
Advice:
Enable this setting to ensure the integrity of SAML requests. You can enable this option at any time in the advanced settings, even if you skipped it during the initial configuration of your portal.
- Propagate the logout to the identity provider-HaveArcGIS Enterpriseuse the logout URL to log the user out of the identity provider. Enter the URL to use inUnsubscribe URLsetting. If the identity provider requires the logout URL to be signed,Enable signed requestsetting must also be enabled. When this setting is unchecked, clickLog offuArcGIS Enterprisewill log the user out ofArcGIS Enterprisebut not from the identity provider. If the user's web browser cache has not been cleared, log back in immediatelyArcGIS Enterpriseusing the organization-specific login option will result in a login without providing user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is accessible to unauthorized users or the general public.
- Update profiles after login-HaveArcGIS Enterpriseuser updatedataNameiemail addressattributes if they have changed since the last login. This is enabled by default.
- Enable SAML-based group membership—Allow portal administrators to associate groups in a SAML identity provider with groups created in yoursArcGIS Enterpriseportal. When this setting is enabled,ArcGIS Enterpriseparses the SAML assertion response to identify the groups to which the member belongs. You can then specify one or more of themSAMLgroups provided by the identity provider forWho can join this group?whencreate a new group on your portal.This feature is disabled by default.
Note:
When creating a new group inArcGIS Enterpriseportal, the group name you enter must match the exact value for externalSAMLgroup as he returns toattribute valuefromSAMLclaim. If you are unsure of the exact value, contact the administrator who configured your organization's SAML system.
- Unsubscribe URL—Enter the identity provider URL that will be used to log out the currently logged in user. If this property is specified in the identity provider metadata file, it is automatically set.
- Entity ID—Update this value to use the new Entity ID to uniquely identify yourArcGIS Enterpriseorganization to the SAML identity provider.
Specify an organization-specific account as an administrator
How you designate an organization-specific account as a portal administrator depends on whether users can join the organization automatically or when invited by an administrator.
Join the organization automatically
If you have chosenAutomaticoption to allow users to automatically join the organization, open the home page of the portal website while logged in with the organization-specific account that you want to use as a portal administrator.
When an account is automatically added to the portal for the first time, it is assigned to itdefault role configured for new members. Only an organization administrator can change the role on an account; you must log in to the portal usinginitial administrator accountand assign the organization-specific account to the administrator role.
- Open the portal website, click the option to sign in using a SAML identity provider, and enter the credentials of the SAML account you want to use as an administrator. If this account belongs to someone else, have that user log in to the portal to register the account on the portal.
- Make sure the account is added to the portal and clickLog off. Clear your browser's cache and cookies.
- In your browser, open the portal website, click the option to sign in with a built-in portal account, and enter the credentials of the initial administrator account you created during setupArcGIS Enterprise.
- Find the SAML account you want to use to administer the portal and change its roleAdministrator. ClickLog off.
The SAML account you selected is now the portal administrator.
Manually add organization-specific accounts to the portal
If you have chosenAt the request of the administratoroption to allow users to join an organization by invitation only, you must register the necessary accounts in the organization using acommand line utility. ChooseAdministratorrole for the SAML account that will be used for portal administration.
Demote or delete the initial administrator account
Now that you have an alternate portal admin account, you can assign the initial admin account to a different role or delete the account. SeeAbout the initial administrator accountfor more information.
Prevent users from creating their own accounts
You can prevent users from creating their own built-in accounts bypreventing users from creating built-in accountsin the organization settings.
Prevent users from signing in with an ArcGIS account
To prevent users from logging into the portal using an ArcGIS account, turn offArcGIS logintoggle button on the login page.
- Log in to the portal website as an organization administrator and clickOrganization>settings>Safety.
- uApplicationssection, turn offArcGIS logintoggle button.
The login page displays a button to login to the portal using an identity provider account andArcGIS loginthe button is not available. To re-enable member logins with ArcGIS accounts, turn onArcGIS loginbutton to switch toApplicationssection.
Modify or remove the SAML IdP
When you set aSAMLIdP, you can update the settings for it by clicking oneditbutton
in addition to the currently registered onesSAMLIdP. Update settings inEdit the SAML loginwindow.
To remove the currently registered IdP, click oneditbuttonnext to IdP and clickDelete applicationuEdit the SAML loginwindow. After you have removed an IdP, you can optionally set up a new IdP or a federation of IdPs.
Best practice examples forSAMLsecurity
To make it possibleSAMLapplications, you can configureArcGIS Enterpriseas SP for hisSAMLIdP. To ensure robust security, consider the best practices described below.
Digitally signSAMLsign-in and check-out requests and signSAMLanswer to the claim
Signatures are used to ensure integritySAMLmessages and act as protection against man-in-the-middle (MITM) attacks. Digital signingSAMLrequest also ensures that the request is sent by a trusted SP, allowing the IdP to better deal with denial-of-service (DOS) attacks. Turn onEnable signed requestoption in advanced settings whenconfiguring SAML logins.
Note:
Enabling signed requests requires that the IdP be updated each time the signing certificate used by the SP is renewed or replaced.
ConfigureSAMLSigning IdPSAMLresponse to prevent tampering in transitSAMLanswer to the claim.
Note:
Enabling signed requests requires that the SP (ArcGIS Enterprise) to be updated whenever the signing certificate used by the IdP is renewed or replaced.
Use an HTTPS IdP endpoint
Any communication between the SP, the IdP and the user's browser that is sent over the internal network or the Internet in an unencrypted format can be intercepted by a malicious actor. If yoursSAMLThe IdP supports HTTPS, it is recommended that you use an HTTPS endpoint to ensure the confidentiality of data transmitted duringSAMLapplications.
EncryptSAMLanswer to the claim
Using HTTPS forSAMLcommunication providesSAMLmessages sent between IdP and SP. However, logged in users can still decode and browseSAMLmessages via a web browser. Enabling assertion response encryption prevents users from viewing confidential or sensitive information communicated by the IdP and SP.
Note:
Enabling encrypted assertions requires that the IdP be updated whenever an encryption certificate is used by the SP (ArcGIS Enterprise) is renewed or replaced.
Securely manage signing and encryption certificates
Use certificates with strong cryptographic keys for digital signing or encryptionSAMLmessages and renew or replace certificates every three to five years.
Feedback on this topic?