Skip To Content

Configure Okta

You can configure Okta as your identity provider (IDP) for enterprise logins in Portal for ArcGIS. The configuration process involves two main steps: registering your enterprise IDP with Portal for ArcGIS and registering Portal for ArcGIS with the enterprise IDP.

Optionally, you can provide metadata to the portal about the enterprise groups in your identity store. This allows you to create groups in the portal that leverage the existing enterprise groups in your identity store. When members log in to the portal, access to content, items, and data is controlled by the membership rules defined in the enterprise group. If you do not provide the necessary enterprise group metadata, you'll still be able to create groups. However, membership rules will be controlled by Portal for ArcGIS, not the identity store.

Required information

Portal for ArcGIS requires certain attribute information to be received from the IDP when a user logs in using enterprise logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make the federation with Portal for ArcGIS work. When a user from the IDP logs in, a new user with the user name NameID will be created by Portal for ArcGIS in its user store. The allowed characters for the value sent by the NameID attribute are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by Portal for ArcGIS.

Portal for ArcGIS supports inflow of the givenName and email address attributes of the enterprise login from the enterprise IDP. When a user signs in using an enterprise login, and if Portal for ArcGIS receives attributes with the names givenname and email or mail (in any case), Portal for ArcGIS populates the full name and the email address of the user account with the values received from the IDP. It's recommended that you pass in the email address from the enterprise IDP so the user can receive notifications.

Register Okta as the enterprise IDP with Portal for ArcGIS

  1. Sign in to the portal website as an administrator of your organization and click My Organization > Edit Settings > Security.
  2. In the Enterprise Logins via SAML section, click the Set Identity Provider button and enter your organization's name in the window that appears (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign in option (for example, Using your City of Redlands account).
    Note:

    You can only register one enterprise IDP for your portal.

  3. Choose if your users will be able to join the organization Automatically or After you add the accounts to the portal. Selecting the first option enables users to sign in to the organization with their enterprise login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility or sample Python script. Once the accounts have been registered, users will be able to sign in to the organization.
    Tip:

    It's recommended that you designate at least one enterprise account as an administrator of your portal and demote or delete the initial administrator account. It is also recommended that you disable the Create an account button and sign-up page (signup.html) in the portal website so people cannot create their own accounts. For full instructions, see Configuring a SAML-compliant identity provider with your portal.

  4. Provide metadata information for the IDP using one of the options below:
    • File—Download or obtain a copy of the federation metadata file from Okta and upload the file to Portal for ArcGIS using the File option.
      Note:
      If this is the first time you are registering a service provider with Okta, you will need to get the metadata file after registering Portal for ArcGIS with Okta.
    • Parameters—Choose this option if the federation metadata file is not accessible. Enter the values manually and supply the requested parameters: login URL and certificate. Contact your Okta administrator to obtain these.
  5. Configure the advanced settings as applicable:
    • Encrypt Assertion—Select this option to encrypt the Okta SAML assertion responses.
    • Enable Signed Request—Select this option to have Portal for ArcGIS sign the SAML authentication request sent to Okta.
    • Propagate logout to Identity Provider—Select this option to have Portal for ArcGIS use a logout URL to sign out the user from Okta. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, Enable Signed Request needs to be checked.
    • Logout URL—The IDP URL to use to sign out the currently signed in user.
    • Entity ID—Update this value to use a new entity ID to uniquely identify your portal to Okta.

    The Encrypt Assertion and Enable Signed Request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a new certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.

  6. When finished, click Update Identity Provider.
  7. Click Get Service Provider to download the portal's metadata file. Information in this file will be used to register portal as the trusted service provider with Okta.
  8. Optionally provide metadata to the portal about the enterprise groups in the identity store:
    1. Sign in to the ArcGIS Portal Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
    2. Click Security > Config > Update Identity Store.
    3. Place the group configuration JSON in the Group store configuration (in JSON format) text box.
      • If your identity store is Windows Active Directory, copy the following text and alter it to contain the information specific to your site:

        {
          "type": "WINDOWS",
          "properties": {
            "isPasswordEncrypted": "false",
            "userPassword": "secret",
            "user": "mydomain\\winaccount"
          }
        }

        In most cases, you will only need to alter values for the user and userPassword parameters. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed. The account you use for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, use an account whose password does not expire.

      • If your identity store is LDAP, copy the following text and alter it to contain the information specific to your site:

        {
          "type": "LDAP",
          "properties": {
            "userPassword": "secret",
            "isPasswordEncrypted": "false",
            "user": "uid=admin,ou=system",
            "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com",
            "ldapURLForRoles": "ldaps://bar2:10636/dc=example,dc=com",
            "usernameAttribute": "cn",
            "caseSensitive": "false",
            "userSearchAttribute": "cn",
            "memberAttributeInRoles": "member",
            "rolenameAttribute":"cn"
          }
        }

        In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and ldapURLForRoles parameters. The URL to your LDAP will need to be provided by your LDAP administrator.

        In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would instead look like this:

        "ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",

        The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed.

        If your LDAP is configured to be case insensitive, set the caseSensitive parameter to false.

    4. When you finish entering the JSON for the user store configuration, click Update Configuration to save your changes and restart the portal.

Register Portal for ArcGIS as the trusted service provider with Okta

  1. Log in to your Okta organization as a member with administrative privileges.
  2. On the Applications tab, click the Add Application button.
  3. Click Create New App and select the SAML 2.0 option. Click Create.
  4. In General Settings, enter an App Name for your portal deployment and click Next.
  5. On the Configure SAML tab, do the following:
    1. Enter the value for Single sign on URL, for example, https://portalhostname.domain.com/portalcontext/sharing/rest/oauth2/saml/signin. This value can be copied from the service provider metadata file downloaded from your portal.
    2. Enter the value for the Audience URI. The default value is set to portalhostname.domain.com.portalcontext. This value can be copied from the service provider metadata file downloaded from your portal.
    3. Leave the Name ID format as Unspecified.
    4. Under Advanced Settings, change the Assertion Signature option to Unsigned.
    5. In the Attribute Statements section, add these attribute statements:

      givenName set to user.firstName + " " + user.lastName

      email set to user.email

  6. Click Next and click Finish.
  7. You will now see the Sign On section of your newly created SAML application. To get the Okta IDP metadata, click the Sign On tab and click the Identity Provider metadata link.
  8. Right-click the People tab and configure which Okta authenticated users will have access to in your portal.