Your organization can use Security Assertion Markup Language (SAML) to authenticate its computer users and to authorize access to its web-enabled resources. To accomplish this, a single SAML-compliant identity provider (IdP) is configured to handle user authentication. The organization's web resources are hosted on one or more service providers, which handle the authorization of access to the web resources. The organization has full management control of its IdP and service providers. To support SAML-based authentication and authorization, each of the organization's service providers must be registered to work with their IdP. Each service provider can only be registered with a single IdP.
You can also use SAML to share resources across multiple independently governed organizations. This is made possible by federation management entities, which enable SAML-based sharing of resources between their member organizations. A member organization that wants to share its web resources with the federation reserves one or more of its service providers to work exclusively within the federation. To access a secured resource shared with the federation, a user authenticates their identity with their home organization's IdP. Once successfully authenticated, this validated identity is presented to the service provider hosting the secured resource. The service provider then grants access to the resource after verifying the user's access privileges.
Your ArcGIS Enterprise portal can be configured with a SAML-based federation of IdPs. The portal accesses the discovery service hosted by the federation, which provides a list of the identity providers and service providers participating in the federation.
Some common SAML-based identity provider federations are InCommon, eduGAIN, SWITCHaai, DFN-AAI, and the UK Access Management Federation.
Configure the federation with your portal
Follow these steps to configure a SAML-based federation of identity providers with your portal:
- Sign in to the portal as an administrator and click Organization > Settings > Security.
- In the Logins section, click the New SAML login button, and select the A federation of identity providers option. On the Specify properties page, enter the name of your federation.
The description is displayed to users accessing the portal as part of the SAML sign-in option.
- Choose how your users can join the portal organization:
- Automatically—Enables users to sign in to the organization with their organization-specific login without needing permission from an administrator, as their account is automatically registered with the portal the first time they sign in.
- Upon invitation from an administrator—Requires the organization administrator to register the necessary accounts with the organization using a command line utility or Python script.
Esri recommends that you designate at least one SAML account as an administrator of your portal, and disable the Create an account button in the portal so that users cannot create their own accounts. For more information, see the Designate a SAML account as an administrator section below.
- Provide the URL to the centralized IdP discovery service hosted by the federation, such as https://wayf.samplefederation.com/WAYF.
- Provide the URL to the federation metadata, which is an aggregation of the metadata of all identity providers and service providers participating in the federation.
- Copy and paste the certificate, encoded in Base64 format, that allows the portal to verify the validity of the federation metadata.
- Configure advanced settings as applicable:
- Encrypt Assertion—Enable this option to indicate to the SAML identity provider that your portal supports encrypted SAML assertion responses. When this option is selected, the identity provider encrypts the assertion section of the SAML response. All SAML traffic to and from the portal is already encrypted by the use of HTTPS, but this option adds another layer of encryption.
- Enable signed request—Enable this option to have the portal sign the SAML authentication request sent to the IdP. Signing the initial login request sent by the portal allows the IdP to verify that all login requests originate from a trusted service provider.
- Propagate logout to Identity Provider—Enable this option to have the portal use a logout URL to sign the user out from the IdP. If you select it, enter the URL to use in the Logout URL setting. If the IdP requires the logout URL to be signed, the Enable Signed Request option also must be checked. If this option is not checked, clicking Sign Out in the portal will sign the user out from the portal, but not from the IdP. If the user's web browser cache is not cleared, attempting to immediately sign back in to the portal using the organization-specific login option will immediately log them in without needing to provide credentials to the IdP. This is a security vulnerability that can be exploited when using a computer easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Enable this option to have the portal update users' givenName and email address attributes if they have changed since their last login. This is selected by default.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal organization to the SAML federation.
Register the portal with the SAML federation as a trusted service provider
To complete the configuration process, establish trust with the federation's discovery service and your organizational IdP by registering the portal's service provider metadata with them. There are two ways to obtain this metadata:
- In the Security section of the Settings page for your organization, click the Download service provider metadata button to download the metadata file for your organization.
- Open the URL of the metadata and save as an XML file on your computer. The URL is https://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL in the Generate Token page, specify the fully qualified domain name of the identity provider server in the Webapp URL field. Choosing any other option, such as IP Address or IP Address of this request's origin, is not supported and may generate an invalid token.
Once you have downloaded the service provider metadata, contact the administrators of the SAML federation for instructions on how to integrate your metadata into the federation's aggregated metadata file. You will also need instructions from them to register your IdP with the federation.
Designate a SAML account as an administrator
How you designate a SAML account as an administrator of the portal will depend on whether users will be able to join the organization Automatically or Upon invitation from an administrator.
Join the organization automatically
If you chose the option to allow users to join the organization Automatically, open the portal while signed in with the SAML account you want to use as the organization administrator.
When an account is first added to the portal automatically, it is assigned the User role. Only an administrator of the organization can change the role on an account; therefore, you must sign in to the portal using the initial administrator account and assign an SAML account to the Administrator role.
- Open the portal, click the option to sign in using a SAML identity provider, and provide the credentials of the SAML account you want to use as an administrator. If this account belongs to someone else, have that user sign in to the portal so the account is registered with the portal.
- Verify that the account has been added to the portal and click Sign Out. Clear your browser's cache and cookies.
- While in the browser, open the portal, click the option to sign in using a built-in portal account, and provide the credentials of the initial administrator account you created when you set up ArcGIS Enterprise.
- Find the SAML account you'll use to administer your portal, and change the role to Administrator. Click Sign Out.
The SAML account you chose is now an administrator of the portal.
Manually add SAML accounts to the portal
If you chose the option to only allow users to join the organization Upon invitation from an administrator, you'll need to register the necessary accounts with the organization using a command line utility. Be sure to choose the Administrator role for a SAML account that will be used to administer the portal.
Demote or delete the initial administrator account
Now that you have an alternate organization administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Prevent users from creating their own accounts
You can prevent users from creating their own built-in accounts by disabling the ability for users to create built-in accounts in the organization settings.
Disable signing in with ArcGIS accounts
If you want to prevent users from signing in to the portal using an ArcGIS account, you can disable the ArcGIS login button on the sign-in page using the following steps:
- Sign in to the portal as an administrator of your organization and click Organization > Settings > Security.
- In the Logins section, disable the toggle button for ArcGIS login.
The sign-in page will display the button to sign in to the portal using an identity provider account, and the button to sign in using an ArcGIS login will not be available. You can re-enable member logins with ArcGIS accounts by turning on the ArcGIS login option under Logins.
Modify or remove the SAML identity provider
When you've set up a federation, you can update the settings for it by clicking the Edit button next to it. Update your settings in the Edit SAML login window.
To remove the federation from your portal, click the Edit button next to it and click Delete login in the Edit SAML login window. Once you remove it, you can optionally set up a new identity provider or federation of identity providers if desired.