Configuring a SAML-compliant identity provider with your portal

Security Assertion Markup Language (SAML) is an open standard for the secure exchange of authentication and authorization data between enterprise identity providers and service providers (in this case,Portal for ArcGIS). The approach used to achieve this is known as SAML Web Single Sign On. The portal is SAML 2.0 compliant and integrates with identity providers that support SAML 2 Web Single Sign On. The advantage of setting up SAML is that you don't have to create additional logins for user accessPortal for ArcGIS; instead, they use a login that is already set up within the enterprise identity store. This process is described throughout the documentation as setting up business applications.

Optionally, you can provide the portal with metadata about the enterprise groups in your identity store. This allows you tocreate groupson a portal that leverages existing business groups in your identity store. When members log into the portal, access to content, items and data is controlled by the membership rules defined in the company group. If you do not provide the required company group metadata, you will still be able to create groups. However, membership rules will controlPortal for ArcGIS, not your identity store.

MatchingArcGIS Onlineusernames inPortal for ArcGIS

If the same SAML-compliant identity provider is used in yourArcGIS Onlineorganization and your portal, company usernames can be configured to match. All company usernames inArcGIS Onlinehave the short name of the organization appended to the end. The same company usernames can be used in your portal by defining themdefaultIDPUsernameSuffixproperty within the portalsecurity configurationand setting it to match the organization's short name. This is required if editor tracking is enabled on the feature service edited by business users from bothArcGIS Onlineand your portal.

SAML login experience

Portal for ArcGISsupports service provider-initiated (SP) enterprise logins and identity provider-initiated (IDP) enterprise logins. The login experience is different for everyone.

Applications initiated by the service provider

With provider-initiated logins, users directly access the portal and are presented with login optionsembedded accounts(managed by the portal) or accounts managed in a SAML-compliant identity provider. If the user selects the SAML identity provider option, they are redirected to a web page (known as the enterprise login manager) where they are asked to enter their enterprise username and password. After verifying the user login, the enterprise identity provider notifiesPortal for ArcGISverified identity for the user who is logging in and the user is redirected back to the portal website.

If the user selects the built-in account option, the portal website login page opens. The user can then enter their embedded username and password to access the website. This option cannot be disabled. The built-in account option can be used as a failsafe in case your SAML-compliant identity provider is not available.

Applications initiated by the identity provider

With identity provider-driven logins, users directly access the enterprise login manager and log in with their account. When a user submits their account information, identity providers send a SAML response directly toPortal for ArcGIS. The user then logs in and is redirected to the portal website where they can immediately access resources without having to log in to the organization again.

The option to sign in using built-in accounts is not available in the enterprise sign-in manager. To log into an organization with embedded accounts, members must access the portal website directly.

SAML identity providers

The following tutorials demonstrate the use of several SAML-compliant identity providers withPortal for ArcGIS:

Active Directory Federation Services (AD FS) 2.0 and later versions
NetIQ Access Manager 3.2 and later versions
OpenAM 10.1.0 and later versions
Shibboleth 2.3.8 and later versions
SimpleSAMLphp 1.10 and later

The procedure for obtaining the necessary metadata from the above identity providers is described in each link. The process of configuring an identity provider withPortal for ArcGISis described below. Before proceeding, it is recommended that you contact the administrator of your enterprise identity provider to obtain the parameters required for configuration.For example, if your organization uses Microsoft Active Directory, the administrator responsible for that would be the correct person to contact to configure or enable SAML on the enterprise identity provider side and obtain the necessary parameters needed for portal-side configuration.

Supports multiple SAML identity providers

Using SAML, you can allow access to your portal using multiple identity stores. This is a good way to manage users who may reside inside or outside your organization.

This is done by establishing trust between the identity stores you want to make available to the portal. This is usually handled by the security administrator; trust is not configured inPortal for ArcGIS. Once trust is established, you just need to configure one of the trusted identity stores with your portal (as described below). When users access a portal site or identity provider site, they will be presented with the option to sign in with a business account managed by any of the trusted identity providers.

Mandatory information

Portal for ArcGISrequires certain attribute information to be received from the identity provider when a user logs in using enterprise logins.NameIDis a required attribute that your identity provider must send in the SAML response to make a federation withPortal for ArcGISwork. When a user from IDP logs in, a new user with a usernameNameIDwill createPortal for ArcGISin your user store. Allowed characters for the value it sendsNameIDattributes are alphanumeric, _ (underscore), . (period) and @ (at sign). All other characters will be escaped to include underscores in the username he createdPortal for ArcGIS.

Portal for ArcGISsupports the flowdataNameiemail addressenterprise login attributes from the identity provider. When a user logs in using an enterprise login and ifPortal for ArcGISreceives attributes with namesgive a nameielectronic mailorpost(anyway),Portal for ArcGISpopulates the full name and email address of the user account with the values received from the identity provider. It is recommended that you pass inemail addressfrom the company's identity provider so that the user can receive notifications.

Configuring your portal with a SAML identity provider

Log in to the portal website as an administrator of your organization and clickMy organization>Edit items>Safety.
WithinCompany applicationsclick the sectionSet up an identity providerand enter the name of your organization in the window that opens (for example,Grad Redlands). When users access the portal web page, this text is displayed as part of the SAML login option (for example,Using your City of Redlands account).
Choose whether your users can join the organizationAutomaticorAfter you add accounts to the portal. Selecting the first option allows users to log into the organization with their business login without any administrator intervention. Their account is automatically registered with the organization when they log in for the first time. The second option requires the administrator to register the necessary accounts in the organization usingcommand line utilityorexample Python script. Once the accounts are registered, users will be able to log into the organization.
Advice:
It is recommended that you designate at least one business account as the administrator of your portal and demote or delete itinitial administrator account. It is also recommended that you disableCreate an accountbutton and login page (application.html) on the portal website so that people cannot create their own accounts. For complete instructions seeDesignate a business account as an administratorsection below.
Provide the necessary metadata information about your SAML-compliant enterprise identity provider. You will do this by specifying the source that the portal will access to obtain the metadata. Links to instructions for obtaining metadata from certified providers are available atSAML identity providerssection above. There are three possible sources of metadata information:
- URL— Specify a URL that returns metadata information about the identity provider.
  Note:
  If your enterprise identity provider includes a self-signed certificate, you may encounter an error when trying to specify an HTTPS metadata URL. This error occurs becausePortal for ArcGIScannot verify the identity provider's self-signed certificate. Alternatively, use HTTP in the URL, one of the other options below, or configure your identity provider with a trusted certificate.
- File—Load a file containing identity provider metadata.
- The parameters listed here— Enter metadata information about the identity provider directly by entering the following parameters:
  - Login URL (Redirect)—Enter an identity provider URL (that supports HTTP redirect binding) thatPortal for ArcGISshould be used to allow the member to login.
  - Login URL (POST)—Enter an identity provider URL (that supports HTTP POST binding) thatPortal for ArcGISshould be used to allow the member to login.
  - Confirmation—Provide a certificate for the enterprise identity provider. This is a certificate that allowsPortal for ArcGISto verify the digital signature in the SAML responses sent to it by the corporate identity provider.
Note:
Contact your identity provider administrator if you need help determining the source of the metadata you need to provide.
To complete the configuration process and establish trust with the identity provider, register the portal provider metadata with your enterprise identity provider. There are two ways to get metadata from your portal:
- WithinSafetysection ofEdit itemspage for your organization, click onFind a service providerbutton. This displays metadata for your organization, which you can save as an XML file to your computer.
- Open the metadata URL and save it as an XML file on your computer. The URL ishttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=, for example,https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token usinghttps://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL in theGenerate tokenpage, specify the fully qualified domain name of the identity provider's server in theURL of the web applicationfield. Selecting any other option, such asIP addressorThe IP address of the origin of this request, is not supported and may generate an invalid token.
Links to instructions for registering portal service provider metadata with certified providers are available atSAML identity providerssection above.
Configure advanced settings as needed:
- Encrypt the assertion— Select this option to indicate yes to the SAML identity providerPortal for ArcGISsupports encrypted SAML assertion responses. When this option is enabled, the identity provider will encrypt the assertion section of the SAML response. Although all SAML traffic to and fromPortal for ArcGISis already encrypted using HTTPS, this option adds another layer of encryption.
- Enable signed request— Select this option to havePortal for ArcGISsign the SAML authentication request sent to the identity provider. Signing the initial application request sent byPortal for ArcGISallows the identity provider to verify that all login requests originate from a trusted service provider.
- Propagate the logout to the identity provider—Select this option to havePortal for ArcGISuse the logout URL to log the user out of the identity provider. Enter the URL to use inUnsubscribe URLsetting. If the identity provider requires the logout URL to be signed,Enable signed requestoption should also be checked. When this option is disabled, by clickingLog offuPortal for ArcGISwill log the user out ofPortal for ArcGISbut not from the identity provider. If the user's web browser cache has not been cleared, an attempt is made to log in immediately toPortal for ArcGISusing the enterprise login option will result in instant login without the need to provide user credentials to the SAML identity provider. This is a security vulnerability that can be exploited when using a computer that is easily accessible to unauthorized users or the general public.
- Unsubscribe URL—Enter the identity provider URL that will be used to log out the currently logged in user. If this property is specified in the identity provider metadata file, it is automatically set.
- Entity ID—Update this value to use the new Entity ID to uniquely identify yourPortal for ArcGISorganization to the SAML identity provider.
Optionally, provide metadata to the portal about enterprise groups in the identity store:
1. Log in to the ArcGIS Portal Directory as an administrator for your organization. The URL is in the formathttps://webadaptorhost.domain.com/webadaptorname/portaladmin.
2. ClickSafety>Configuration>Update the Identity Store.
3. Set the batch configuration JSON toGroup store configuration (in JSON format)text box.
  - If your identity store is Windows Active Directory, copy the following text and modify it to include information specific to your site:
    { "type": "WINDOWS", "properties": { "isPasswordEncrypted": "false", "userPassword": "secret", "user": "mydomain\\winaccount" }}
    In most cases, you'll just need to change the values foruseriuser passwordparameters. Although you enter the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed. The account you use foruserThe parameter needs permissions only to look up Windows group names on the network. If possible, use an account whose password does not expire.
  - If your identity store is LDAP, copy the following text and change it to contain information specific to your site:
    { "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "ldapURLForUsers": "ldaps ://bar2:10636/ou=users,ou=ags,dc=example,dc=com", "ldapURLForRoles": "ldaps://bar2:10636/dc=example,dc=com", "usernameAttribute": "cn", "caseSensitive": "false", "userSearchAttribute": "cn", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" }}
    In most cases, you'll just need to change the values foruser,user password,ldapURLForUsers, ildapURLForRolesparameters. The URL to your LDAP will need to be provided by your LDAP administrator.
    In the example above, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would look like this instead:
    "ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
    The account you use for the user parameter needs permissions to search for group names in your organization. Although you enter the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed.
    If your LDAP is configured to be case insensitive, setcase sensitiveparameter forfalsely.
4. When you're done entering the JSON for the user store configuration, clickUpdate the configurationto save the changes and restart the portal.

Designate a business account as an administrator

How you designate a business account as a portal administrator will depend on whether users will be able to join the organizationAutomaticorAfter you add accounts to the portal.

Join the organization automatically

If you have selected the option to allow users to join the organizationAutomatic, open the home page of the portal website while logged in with the business account you want to use as a portal administrator.

When an account is automatically added to the portal for the first time, it is assigned a user role. Only an organization administrator can change the role on an account; therefore you must log in to the portal usinginitial administrator accountand assign the business account to the administrator role.

Open the portal website, click the option to sign in using a SAML identity provider, and enter the credentials of the business account you want to use as an administrator. If this account belongs to someone else, have that user log in to the portal to register the account on the portal.
Make sure the account is added to the portal and clickLog off. Clear your browser's cache and cookies.
While in your browser, open the portal website, click the option to sign in using the built-in portal account, and enter the credentials of the initial administrator account you created during setupPortal for ArcGIS.
Find the business account you will use to administer the portal and change the roleAdministrator. ClickLog off.

The business account you selected is now the portal administrator.

Manually add business accounts to the portal

If you selected the option to allow only users to join the organizationAfter you add accounts to the portal, you will need to register the necessary accounts in the organization using acommand line utilityorexample Python script. Be sure to chooseAdministratorrole for the business account that will be used for portal administration.

Demote or delete the initial administrator account

Now that you have an alternate portal admin account, you can assign the initial admin accountUserrole or delete account. SeeAbout the initial administrator accountfor more information.

Prevent users from creating their own accounts

Once you have secured access to your portal, it is recommended that you disable itCreate an accountbutton and login page (application.html) on the portal website so that people cannot create their own accounts. This means that all members log into the portal with their business account and credentials, and unnecessary built-in accounts cannot be created. SeePreventing users from creating embedded portal accountsfor complete instructions.

Disable signing in with ArcGIS accounts

If you want to prevent users from logging into the portal using an ArcGIS account, you can disableUsing your ArcGIS accountbutton on the login page. To do this, follow the steps below.

Log in to the portal website as an administrator of your organization and clickMy organization>Edit items>Safety.
WithinLogin optionsselect the radio button forJust their SAML IDP account, where the IDP will vary depending on what you have configured for your portal.
ClickSave.

The login page will display a button to login to the portal using an identity provider account and a login buttonUsing your ArcGIS accountwill not be available. You can re-enable member logins with ArcGIS accounts by selectingTheir SAML IDP account or Portal for ArcGIS accountpod, belowLogin options, where the IDP and name of your portal will vary depending on what you have configured.

Changing the SAML identity provider

You can remove the currently registered identity provider usingRemove identity providerbutton. This button will only be enabled when you have set up a SAML compliant identity provider. After you remove an identity provider, you can optionally set up a new one.

Feedback on this topic?

Configuring a SAML-compliant identity provider with your portal—Portal for ArcGIS (2023)