Microsoft Azure Active Directory (AD) is a Security Assertion Markup Language (SAML)-compliant identity provider (IDP). You can configure it as your IDP for enterprise logins in Portal for ArcGIS on-premises and in the cloud. The configuration process involves two main steps: registering Azure AD in your ArcGIS Enterprise portal and registering Portal for ArcGIS in your Azure AD portal.
To configure Azure AD with ArcGIS Enterprise, you need a premium Azure AD subscription.
Required information
Portal for ArcGIS requires certain attribute information to be received from the IDP when a user signs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response for the federation to work with Portal for ArcGIS. Since Portal for ArcGIS uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID is created by Portal for ArcGIS in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be changed to underscores in the user name created by Portal for ArcGIS.
Portal for ArcGIS supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if Portal for ArcGIS receives attributes with the names givenname and email or mail (in any case), Portal for ArcGIS populates the full name and the email address of the user account with the values received from the IDP. It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications.
Register Azure AD as the enterprise IDP for your portal
- Sign in to the portal website as a member of the default administrator role in your organization and click Organization > Settings > Security.
- In the Enterprise Logins via SAML section, select the One Identity Provider option, click the Set Enterprise Login button, and enter your organization's name in the window that appears (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
- Choose whether your users will be able to join the organization Automatically or After you add the accounts to the portal. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility or sample Python script. Once the accounts have been registered, users will be able to sign in to the organization.
Tip:
It's recommended that you designate at least one enterprise account as an administrator of your portal and demote or delete the initial administrator account. It is also recommended that you disable the Create an account button and sign-up page (signup.html) in the portal so people cannot create their own accounts. For full instructions, see Configuring a SAML-compliant identity provider with your portal.
- Provide metadata information for the IDP using one of the options below:
- File—Download the Azure AD metadata file and upload the file to Portal for ArcGIS using the File option.
Note:
If this is the first time you're registering a service provider with Azure AD, you need to get the metadata file after registering Portal for ArcGIS with Azure AD. - Parameters—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your Azure AD administrator to obtain these.
- File—Download the Azure AD metadata file and upload the file to Portal for ArcGIS using the File option.
- Configure the following advanced settings as applicable:
- Encrypt Assertion—Select this option to encrypt the Azure AD SAML assertion responses.
- Enable Signed Request—Select this option to have Portal for ArcGIS sign the SAML authentication request sent to Azure AD.
- Propagate logout to Identity Provider—Select this option to have Portal for ArcGIS use a logout URL to sign out the user from Azure AD. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, check Enable Signed Request.
- Update profiles on sign in—Select this option to have Portal for ArcGIS update users' givenName and email address attributes if they've changed since they last signed in.
- Enable SAML based group membership—Select this option to allow organization members to link specified SAML-based enterprise groups to Portal for ArcGIS groups during the group creation process.
- Logout URL—The IDP URL is used to sign out the currently signed in user.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal to Azure AD.
The Encrypt Assertion and Enable Signed Request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a new certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.
- When finished, click Update Identity Provider.
- Click Get Service Provider to download the portal's metadata file. Information in this file will be used to register the portal as the trusted service provider with Azure AD.
Register Portal for ArcGIS as the trusted service provider with Azure AD
- Log in to your Azure portal as a member with administrative privileges.
- Following the steps in Azure documentation, add Portal for ArcGIS as a non-gallery application to your Azure AD and configure Single sign-on. You will need to provide the Metadata.xml file downloaded from Portal for ArcGIS.
Portal for ArcGIS appears in the Enterprise Applications list in Azure AD.
- Add and assign users to the application as needed.
- Optionally configure and customize the SAML claims passed to ArcGIS Enterprise. The attributes of interest in the SAML response are givenName and emailaddress.