Security Assertion Markup Language (SAML) is an open standard to securely exchange authentication and authorization data between an enterprise identity provider and a service provider (in this case, Portal for ArcGIS). The approach used to achieve this is known as SAML Web Single Sign On. The portal is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single Sign On. The advantage of setting up SAML is that you do not need to create additional logins for users to access Portal for ArcGIS; instead, they use the login that is already set up within an enterprise identity store. This process is described throughout the documentation as setting up enterprise logins.
Optionally, you can provide metadata to the portal about the enterprise groups in your identity store. This allows you to create groups in the portal that leverage the existing enterprise groups in your identity store. When members log in to the portal, access to content, items, and data is controlled by the membership rules defined in the enterprise group. If you do not provide the necessary enterprise group metadata, you'll still be able to create groups. However, membership rules will be controlled by Portal for ArcGIS, not your identity store.
SAML sign in experience
Portal for ArcGIS supports service provider (SP) initiated enterprise logins and identity provider (IDP) initiated enterprise logins. The login experience differs between each.
Service provider initiated logins
With service provider initiated logins, users access the portal directly and are presented with options to sign in with built-in accounts (managed by the portal) or accounts managed in a SAML-compliant identity provider. If the user chooses the SAML identity provider option, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the user’s login, the enterprise identity provider informs Portal for ArcGIS of the verified identity for the user who is logging in, and the user is redirected back to the portal website.
If the user chooses the built-in account option, the sign in page for the portal website opens. The user can then enter their built-in user name and password to access the website. This option cannot be disabled. The built-in account option can be used as a fail-safe in case your SAML-compliant identity provider is unavailable.
Identity provider initiated logins
With identity provider initiated logins, users directly access the enterprise's login manager and sign in with their account. When the user submits their account information, the identity provider sends the SAML response directly to Portal for ArcGIS. The user is then logged in and redirected to the portal website where they can immediately access resources without having to sign in to the organization again.
The option to sign in using built-in accounts is not available from the enterprise's login manager. To sign in to the organization with built-in accounts, members need to access the portal website directly.
SAML identity providers
The following tutorials demonstrate using several SAML-compliant identity providers with Portal for ArcGIS:
- NetIQ Access Manager 3.2 and later versions
- OpenAM 10.1.0 and later versions
- Shibboleth 2.3.8 and later versions
- SimpleSAMLphp 1.10 and later versions
The process of obtaining necessary metadata from the identity providers noted above is described in each link. The process of configuring identity providers with Portal for ArcGIS is described below. Before proceeding, it is recommended that you contact the administrator of your enterprise identity provider to obtain the parameters needed for configuration.
Supporting multiple SAML identity providers
Using SAML, you can allow access to your portal using multiple identity stores. This is a good way to manage users that may reside within or outside of your organization.
This is achieved by establishing trust between the identity stores that you want to make available to the portal. This is typically handled by a security administrator; trust is not configured in Portal for ArcGIS. Once trust has been established, you only need to configure one of the trusted identity stores with your portal (as described below). When users access the portal website or the identity provider site, they will be presented with the option to sign in with an enterprise account managed by any one of the trusted identity providers.
Required information
Portal for ArcGIS requires certain attribute information to be received from the identity provider when a user logs in using enterprise logins. NameID is a mandatory attribute that must be sent by your identity provider in the SAML response to make the federation with Portal for ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID will be created by Portal for ArcGIS in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by Portal for ArcGIS.
Portal for ArcGIS supports flow-in of the givenName and the email address attributes of the enterprise login from the identity provider. When a user signs in using an enterprise login, and if Portal for ArcGIS receives attributes with the names givenname and email or mail (in any case), Portal for ArcGIS populates the full name and the email address of the user account with the values received from the identity provider. It's recommended that you pass in the email address from the enterprise identity provider so the user can receive notifications.
Configuring your portal with a SAML identity provider
- Sign in to the portal website as an Administrator of your organization and click My Organization > Edit Settings > Security.
- Within the Enterprise Logins section, click the Set Identity Provider button, and enter your organization's name in the window that opens (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
- Choose if your users will be able to join the organization Automatically or After you add the accounts to the portal. Choosing the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility or sample Python script. Once the accounts have been registered, users will be able to sign in to the organization.
Tip:
It's recommended that you designate at least one enterprise account as an administrator of your portal and demote or delete the initial administrator account. It's also recommended that you disable the Create an account button and sign-up page (signup.html) in the portal website so people cannot create their own accounts. For full instructions, see the Designate an enterprise account as an administrator section below.
- Provide the necessary metadata information about your SAML-compliant enterprise identity provider. You'll do this by specifying the source that the portal will access to obtain metadata information. Links to instructions for obtaining metadata from certified providers are available in the SAML identity providers section above. There are three possible sources of metadata information:
- URL—Provide a URL that returns metadata information about the identity provider.
Note:
If your enterprise identity provider includes a self-signed certificate, you may encounter an error when attempting to specify the HTTPS URL of the metadata. This error occurs because Portal for ArcGIS cannot verify the identity provider's self-signed certificate. Alternatively, use HTTP in the URL, one of the other options below, or configure your identity provider with a trusted certificate.
- File—Upload a file that contains metadata information about the identity provider.
- Parameters—Directly enter the metadata information about the identity provider by supplying the following parameters:
- Login URL—The URL that Portal for ArcGIS should use to allow a user to sign in.
- Certificate—Provide the X.509 certificate for the enterprise identity provider. This is the certificate that allows Portal for ArcGIS to verify the digital signature in the SAML responses sent to it from the enterprise identity provider.
Note:
Contact the administrator of the identity provider if you need help determining which source of metadata information you need to provide.
- URL—Provide a URL that returns metadata information about the identity provider.
- To complete the configuration process and establish trust with the identity provider, register the portal's service provider metadata with your enterprise identity provider. There are two ways to obtain the metadata from your portal:
- Within the Security section of the Edit Settings page for your organization, click the Get Service Provider button. This shows the metadata for your organization, which you can save as an XML file on your computer.
- Open the URL of the metadata and save as an XML file on your computer. The URL is https://webadaptor.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptor.domain.com/arcgis/sharing/rest/generateToken. When entering the URL in the Generate Token page, specify the fully qualified domain name of the identity provider server in the Webapp URL field. Choosing any other option, such as IP Address or IP Address of this request's origin, is not supported and may generate an invalid token.
Links to instructions for registering the portal's service provider metadata with certified providers are available in the SAML identity providers section above.
- Configure the advanced settings as applicable:
- Encrypt Assertion—Select this option to encrypt the identity provider's SAML assertion responses.
- Enable Signed Request—Select this option to have Portal for ArcGIS sign the SAML authentication request sent to the identity provider.
- Logout URL—Update this value if you have configured the identity provider to use a custom logout URL.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal to the identity provider.
The Encrypt Assertion and Enable Signed Request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a new certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.
- Optionally, provide metadata to the portal about the enterprise groups in the identity store:
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > Config > Update Identity Store.
- Place the group configuration JSON in the Group store configuration (in JSON format) text box.
Copy the following text, and alter it to contain the information specific to your site:
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin\,ou=system", "ldapURLForUsers": "ldap://bar2:10389/ou=users\,ou=ags\,dc=example\,dc=com", "ldapURLForRoles": "ldap://bar2:10389/dc=example,dc=com", "usernameAttribute": "cn", "caseSensitive": "false", "userSearchAttribute": "cn", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" } }
In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator. The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed.
If your LDAP is configured to be case insensitive, set the caseSensitive parameter to "false".
- When you finish entering the JSON for the user store configuration, click Update Configuration to save your changes and restart the portal.
Designate an enterprise account as an administrator
How you designate an enterprise account as an administrator of the portal will depend on whether users will be able to join the organization Automatically or After you add the accounts to the portal.
Join the organization automatically
If you chose the option to allow users to join the organization Automatically, open the portal website home page while logged in with the enterprise account you want to use as the portal administrator.
When an account is first added to the portal automatically, it is assigned the User role. Only an Administrator of the organization can change the role on an account; therefore, you must sign in to the portal using the initial administrator account, and assign an enterprise account to the Administrator role.
- Open the portal website, click the option to sign in using a SAML identity provider, and provide the credentials of the enterprise account you want to use as an administrator. If this account belongs to someone else, have that user sign in to the portal so the account is registered with the portal.
- Verify that the account has been added to the portal and click Sign Out. Clear your browser's cache and cookies.
- While in the browser, open the portal website, click the option to sign in using a built-in portal account, and provide the credentials of the initial administrator account you created when you set up Portal for ArcGIS.
- Find the enterprise account you'll use to administer your portal, and change the role to Administrator. Click Sign Out.
The enterprise account you chose is now an administrator of the portal.
Manually add enterprise accounts to the portal
If you chose the option to only allow users to join the organization After you add the accounts to the portal, you'll need to register the necessary accounts with the organization using a command line utility or sample Python script. Be sure to choose the Administrator role for an enterprise account that will be used to administer the portal.
Demote or delete the initial administrator account
Now that you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Prevent users from creating their own accounts
After you've secured access to your portal, it is recommended that you disable the Create an account button and sign-up page (signup.html) in the portal website so people cannot create their own accounts. This means all members sign in to the portal with their enterprise account and credentials, and unnecessary built-in accounts cannot be created. See Disabling users ability to create built-in portal accounts for full instructions.
Disable signing in with ArcGIS accounts
If you would like to prevent users from signing into the portal using an ArcGIS account, you can disable the Using Your ArcGIS Account button on the sign-in page. To do this, follow the steps below.
- Open the ArcGIS Portal Directory sharing location and log in as a member with administrative privileges. The URL is in the format https://webadaptor.domain.com/arcgis/sharing.
- Browse to Home > Portals > Self and scroll down to the bottom of the page. Click Update.
- Browse to the Can SignIn Using ArcGIS option. Set the property to False.
- Click Update Organization.
The sign-in page will display the button to log into the portal using an identity provider account and the button to log in Using Your ArcGIS Account will not be available.
Modifying the SAML identity provider
You can remove the currently registered identity provider by using the Remove Identity Provider button. This button will be enabled only when you've set up a SAML-compliant identity provider. Once you remove the identity provider, you can set up a new one if desired.