A language for marking up security assertions(SAML) is an open standard used for the secure exchange of authentication and authorization data between an organization-specific identity provider and a service provider (in this case,Portal for ArcGIS). This approach is known asSAMLWeb Single Sign On.
The portal is aligned withSAML2.0 and integrates with supporting identity providersSAML2 Web Single Sign On. Advantage of placementSAMLis that you don't have to create additional logins for users to access yoursArcGIS Enterpriseportal; instead, they use the login already set up in the identity store. This process is described throughout the documentation as setting up organization-specific logins.
Optionally, you can provide the portal with metadata about the enterprise groups in your identity store. This allows you tocreate groupson the portal used by existing business groups in your identity store.
When members log into the portal, access to content, items and data is controlled by the membership rules defined in the company group. If you do not provide the required company group metadata, you can still create groups. However, membership rules controlArcGIS Enterprisea portal, not an identity store.
Note:
On 10.6.1, you can tooconfigure a federation of SAML-based identity providerswith your portal.
MatchingArcGIS Onlineusernames inArcGIS Enterpriseportal
If the sameSAML-a compliant identity provider is used in yourArcGIS Onlineorganization and your portal, organization-specific usernames can be configured to match. All organization-specific usernames in theArcGIS Onlinehave the short name of the organization appended to the end. The same organization-specific usernames can be used in your portal by defining themdefaultIDPUsernameSuffixproperty inArcGIS Enterpriseportalsecurity configurationand setting it to match the organization's short name. This is required if editor tracking is enabled on a feature service edited by organization-specific users from bothArcGIS Onlineand your portal.
SAML login
Portal for ArcGISsupports service provider-initiated (SP) organization-specific logins and service provider-initiated organization-specific (IDP) logins. The sign experience differs between everyone.
Applications initiated by the service provider
With provider-initiated logins, users directly access the portal and are presented with login optionsembedded accounts(managed by the portal) or accounts managed in aSAML-compliant identity provider. If the user choosesSAMLidentity provider option, they are redirected to a website (known as login manager) where they are asked to provide theirSAMLusername and password. After verifying user login credentials,SAML-the compliant identity provider informsPortal for ArcGISverified identity of the user who logs in and the user is redirected back to the portal website.
If the user selects the built-in account option, the login page forArcGIS Enterprisethe portal website opens. The user then enters their embedded username and password to access the website. You can use the built-in account option as a protection against error in caseSAML-a matching identity provider is not available, provided the option to sign in with an ArcGIS account was notdisabled.
Applications initiated by the identity provider
With identity provider-initiated logins, users directly access the login manager and log in with their account. When a user submits their account information, identity providers send a SAML response directly toPortal for ArcGIS. The user then logs in and is redirected to the portal website where they can immediately access resources without having to log in to the organization again.
The option to sign in using built-in accounts is not available in the sign-in manager. To log into an organization with embedded accounts, members must access the portal website directly.
Note:
If SAML logins are not working due to identity provider issues and the built-in accounts option is disabled, you cannot access yourArcGIS Enterpriseportal until you enable this option again. Seethis question in Common Problems and Solutionsfor instructions.
SAML identity providers
Portal for ArcGISsupports all SAML-compliant identity providers. You can find detailed instructions on configuring certain common SAML-compliant identity providers atArcGIS/idp GitHub repozitorij.
The process of configuring an identity provider withArcGIS Enterpriseis described below. Before proceeding, it is recommended that you contact the administrator of your SAML identity provider to obtain the parameters required for configuration.For example, if your organization uses Microsoft Active Directory, the responsible administrator is the person to contact to configure or enable SAML on the organization-specific identity provider side and obtain the necessary configuration parameters on the portal side.
Mandatory information
Portal for ArcGISrequires certain attribute information to be received from the IDP when a user logs in usingSAMLapplications. TheNameIDattribute is required and must be sent by your IDP toSAMLresponse to the creation of a federation withPortal for ArcGISwork. FromPortal for ArcGISuse valueNameIDto uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from IDP logs in, the new user with usernameNameIDwill createPortal for ArcGISin your user store. Allowed characters for the value it sendsNameIDare alphanumeric, _ (underscore), . (period) and @ (at sign). All other characters will be escaped to include underscores in the username he createdPortal for ArcGIS.
Portal for ArcGISsupports the influx of the user's e-mail address, group membership, first and last name fromSAMLidentity provider.
Configure the portal with a SAML identity provider
You can configure your portal so that users can log in using the same username and password they use with your existing on-premises systems. Before setting up organization-specific logins, you mustconfigure the default user typefor your organization.
- Log in to the portal website as an administrator of your organization and clickOrganization>settings>Safety.
- uApplicationsclick the sectionNew SAML loginand selectOne identity provideroption. OnList the propertiespage, enter the name of your organization (for example,Grad Redlands).
When users access the portal web page, this text is displayed as part of the SAML login option (for example, Using your City of Redlands account).
- ChooseAutomaticorAt the request of the administratorto specify whether users can join the organization automatically or by invitation.
The first option allows users to log into an organization with their organization-specific login without administrator intervention. Their account is automatically registered with the organization when they log in for the first time. The second option requires the administrator to register the necessary accounts in the organization usingcommand line utilityorexample Python script. Once the accounts are registered, users can log in to the organization.
Advice:
It is recommended that you designate at least one SAML account as an administrator for your portal and demote or delete itinitial administrator account. It is also recommended thatdisable the Create Account buttonon the portal website so that users cannot create their own accounts. For instructions seeSpecify an organization-specific account as an administratorsection below.
- Specify the source that the portal will access to obtain metadata. This provides the necessary metadata information about your SAML-compliant identity provider. Instructions for obtaining metadata from certified providers can be found atArcGIS/idp GitHub repozitorij. There are three possible sources of metadata information:
- URL— Specify a URL that returns metadata information about the identity provider.
Note:
If your identity provider includes a self-signed certificate, you may encounter an error when specifying HTTPS metadata URLs. This error occurs becausePortal for ArcGIScannot verify the identity provider's self-signed certificate. Alternatively, use HTTP in the URL or one of the other options below, or configure your identity provider with a trusted certificate.
- File—Load a file containing identity provider metadata.
- The parameters listed here— Enter metadata information about the identity provider directly by entering the following:
- Login URL (Redirect)— Specify an identity provider URL (that supports HTTP redirect binding) thatPortal for ArcGISwill be used to allow the member to login.
- Login URL (POST)— Specify an identity provider URL (that supports HTTP POST binding) thatPortal for ArcGISwill be used to allow the member to login.
- Confirmation—Provide a certificate, encoded in BASE 64 format, for the identity provider. This is an enabling certificatePortal for ArcGISto verify the digital signature in the SAML responses sent to it by the identity provider.
Note:
Contact your identity provider administrator if you need help determining the source of the metadata you need to provide.
- URL— Specify a URL that returns metadata information about the identity provider.
- Register the portal provider metadata with your identity provider to complete the configuration process and establish trust with the identity provider. To get metadata from your portal, do one of the following:
- uSafetysection onsettingstab for your organization click onDownload service provider metadatabutton to download the metadata file for your organization.
- Open the metadata URL and save it as.xmlfile on your computer. The URL ishttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=
, for example,https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token usinghttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL toGenerate tokenpage, specify the fully qualified domain name of the identity provider's server in theURL of the web applicationtext box. There is no other possibility, such asIP addressorThe IP address of the origin of this request, is supported, and they may generate an invalid token.
Instructions for registering portal service provider metadata with certified providers can be found atArcGIS/idp GitHub repozitorij.
- Configure advanced settings as needed:
- Encrypt the assertion—Indicate to the SAML identity provider thatPortal for ArcGISsupports encrypted SAML assertion responses. When this option is selected, the identity provider will encrypt the assertion section of the SAML response. All SAML traffic to and fromPortal for ArcGISis already encrypted using HTTPS, but this option adds another layer of encryption.
- Enable signed request-HavePortal for ArcGISsign the SAML authentication request sent to the identity provider. Signing the initial application request sent byPortal for ArcGISallows the identity provider to verify that all login requests originate from a trusted service provider.
Advice:
Enable this setting to ensure the integrity of SAML requests. You can enable this option at any time in the advanced settings, even if you skipped it during the initial configuration of your portal.
- Propagate the logout to the identity provider-HavePortal for ArcGISuse the logout URL to log the user out of the identity provider. Enter the URL to use inUnsubscribe URLsetting. If the identity provider requires the logout URL to be signed,Enable signed requestsetting must also be enabled. When this setting is unchecked, clickLog offuPortal for ArcGISwill log the user out ofPortal for ArcGISbut not from the identity provider. If the user's web browser cache has not been cleared, log back in immediatelyPortal for ArcGISusing the organization-specific login option will result in a login without providing user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is accessible to unauthorized users or the general public.
- Update profiles after login-HavePortal for ArcGISuser updatedataNameiemail addressattributes if they have changed since the last login. This is enabled by default.
- Enable SAML-based group membership—Allow portal administrators to associate groups in a SAML identity provider with groups created in yoursArcGIS Enterpriseportal. When this setting is enabled,Portal for ArcGISparses the SAML assertion response to identify the groups to which the member belongs. You can then specify one or more enterprise groups provided by the identity provider forWho can join this groupwhencreate a new group on your portal. This feature is disabled by default.
- Unsubscribe URL—Enter the identity provider URL that will be used to log out the currently logged in user. If this property is specified in the identity provider metadata file, it is automatically set.
- Entity ID—Update this value to use the new Entity ID to uniquely identify yourPortal for ArcGISorganization to the SAML identity provider.
Configure a SAML compliant IDP for a highly available portal
Portal for ArcGISuses a certificate with an aliassamlcertwhen sending signed requests (for login and logout) to the IDP and when decrypting the encrypted responses of the IDP. If you configure highly availableArcGIS Enterpriseportal and use a SAML-compliant IDP, you must secure each instancePortal for ArcGISit uses the same certificate when communicating with the IDP.
The best way to ensure that all instances use the same certificate for SAML is to generate a new certificate with an aliassamlcertand import it into each instancePortal for ArcGISin your highly available implementation.
- Log in to the portal admin directory athttps://example.domain.com:7443/arcgis/portaladmin.
- Browse toSafety>sslcertificates, and click an existing onesamlcertconfirmation.
- Clickdelete.
- Repeat steps 1 to 3 to delete the existing onesamlcertcertificates in all instances of your highly available portal.
- Generate a new self-signed certificatefrom the ArcGIS Portal administrator directory.
- When configuring the certificate, specifysamlcertas an alias, and the name of your deployment's load balancer host as the name forA common namei DNS alias uAlternative subject namefield.
- Once the certificate is generated, export it to a.pfxfile:
- Log in to the machine wherePortal for ArcGISis installed.
- Open a command prompt on your computer usingRun as administratoroption.
- Change directories to the portal's SSL folder:cd
\etc\ssl . - Enter the following export commandsamlcertu.pfxfile format:
....\framework\runtime\jre\bin\keytool.exe -importkeystore -srckeystore portal.ks -destkeystore samlcert.pfx -srcstoretype JKS -deststoretype PKCS12 -srcstorepass portal.secret -deststorepass lozinka -srcalias samlcert -destalias samlcert -destkeypass lozinka
- Import the new certificate into each instancePortal for ArcGISfromSafety>sslcertificates>Import an existing server certificatepage.
- RestartPortal for ArcGISon every instance on your highly available portal.
You can use the provider's metadata file in yourArcGIS Enterpriseportal to verify that the certificates used to communicate with the SAML IDP are the same across the highly available deployment.
- AlreadyOrganizationcard, look for itEdit items>Safety.
- uCompany applications via SAMLitem naSafetypage, clickEdit the identity provider. Open itShow advanced itemsmenu and secureEncrypt the assertionoption is selected. If not, select it and clickUpdate your identity providerto save the change.
- Return toCompany applications via SAMLitems and selectFind a service provider. This will export the provider metadata as.xmlfile to your machine.
- Open the downloaded.xmlfile. Check for the following phrase:
. This means that the encryption certificate is present. - Record the values in the subsection
. - Repeat these steps for each examplePortal for ArcGISin your deployment to get the provider metadata file from each.
All exported metadata files should have the same information in the
Specify an organization-specific account as an administrator
How you designate an organization-specific account as a portal administrator depends on whether users can join the organization automatically or when invited by an administrator.
Join the organization automatically
If you have chosenAutomaticoption to allow users to automatically join the organization, open the home page of the portal website while logged in with the organization-specific account that you want to use as a portal administrator.
When an account is automatically added to the portal for the first time, it is assigned to itdefault role configured for new members. Only an organization administrator can change the role on an account; you must log in to the portal usinginitial administrator accountand assign the organization-specific account to the administrator role.
- Open the portal website, click the option to sign in using a SAML identity provider, and enter the credentials of the SAML account you want to use as an administrator. If this account belongs to someone else, have that user log in to the portal to register the account on the portal.
- Make sure the account is added to the portal and clickLog off. Clear your browser's cache and cookies.
- In your browser, open the portal website, click the option to sign in with a built-in portal account, and enter the credentials of the initial administrator account you created during setupPortal for ArcGIS.
- Find the SAML account you want to use to administer the portal and change its roleAdministrator. ClickLog off.
The SAML account you selected is now the portal administrator.
Manually add organization-specific accounts to the portal
If you have chosenAt the request of the administratoroption to allow users to join an organization by invitation only, you must register the necessary accounts in the organization using acommand line utilityorexample Python script. ChooseAdministratorrole for the SAML account that will be used for portal administration.
Demote or delete the initial administrator account
Now that you have an alternate portal admin account, you can assign the initial admin account to a different role or delete the account. SeeAbout the initial administrator accountfor more information.
Prevent users from creating their own accounts
You can prevent users from creating their own built-in accounts bypreventing users from creating new embedded accountsin the organization settings.
Prevent users from signing in with an ArcGIS account
To prevent users from logging into the portal using an ArcGIS account, turn offArcGIS logintoggle button on the login page.
- Log in to the portal website as an organization administrator and clickOrganization>settings>Safety.
- uApplicationssection, turn offArcGIS logintoggle button.
The login page displays a button to login to the portal using an identity provider account andArcGIS loginthe button is not available. To re-enable member logins with ArcGIS accounts, turn onArcGIS loginbutton to switch toApplicationssection.
Modify or remove the SAML IDP
When you set aSAMLIDP, you can update the settings for it by clicking oneditbutton
in addition to the currently registered onesSAMLIDP. Update settings inEdit the SAML loginwindow.
To remove the currently registered IDP, click oneditbuttonnext to IDP and clickDelete applicationuEdit the SAML loginwindow. After you have removed an IDP, you can optionally set up a new IDP or a federation of IDPs.
Best practice examples forSAMLsecurity
To make it possibleSAMLapplications, you can configureArcGIS Enterpriseas SP for hisSAMLIDP. To ensure robust security, consider the best practices described below.
Digitally signSAMLsign-in and check-out requests and signSAMLanswer to the claim
Signatures are used to ensure integritySAMLmessages and act as protection against man-in-the-middle (MITM) attacks. Digital signingSAMLrequest also ensures that the request is sent by a trusted SP, allowing the IDP to better deal with denial-of-service (DOS) attacks. Turn onEnable signed requestoption in advanced settings whenconfiguring SAML logins.
Note:
Enabling signed requests requires that the IDP be updated each time the signing certificate used by the SP is renewed or replaced.
ConfigureSAMLIDP to signSAMLresponse to prevent tampering in transitSAMLanswer to the claim.
Note:
Enabling signed requests requires that the SP (ArcGIS Enterprise) to be updated whenever the signing certificate used by the IDP is renewed or replaced.
Use an HTTPS IDP endpoint
Any communication between the SP, the IDP and the user's browser that is sent over the internal network or the Internet in an unencrypted format can be intercepted by a malicious actor. If yoursSAMLIDP supports HTTPS, it is recommended that you use an HTTPS endpoint to ensure the confidentiality of data transmitted duringSAMLapplications.
EncryptSAMLanswer to the claim
Using HTTPS forSAMLcommunication providesSAMLmessages sent between IDP and SP. However, logged in users can still decode and browseSAMLmessages via a web browser. Enabling assertion response encryption prevents users from viewing confidential or sensitive information communicated by the IDP and SP.
Note:
Enabling encrypted claims requires updating the IDP whenever an encryption certificate is used by the SP (ArcGIS Enterprise) is renewed or replaced.
Securely manage signing and encryption certificates
Use certificates with strong cryptographic keys for digital signing or encryptionSAMLmessages and renew or replace certificates every three to five years.
Feedback on this topic?