Your organization can use Security Assertion Markup Language (SAML) to authenticate its computer users and to authorize access to its web-enabled resources. To accomplish this, a single SAML-compliant identity provider (IDP) is configured to handle user authentication. The organization's web resources are hosted on one or more service providers, which handle the authorization of access to the web resources. The organization has full management control of its IDP and service providers. To support SAML-based authentication and authorization, each of the organization's service providers must be registered to work with their IDP. Each service provider can only be registered with a single IDP.
You can also use SAML to share resources across multiple independently governed organizations. This is made possible by federation management entities, which enable SAML-based sharing of resources between their member organizations. A member organization that wants to share its web resources with the federation reserves one or more of its service providers to work exclusively within the federation. To access a secured resource shared with the federation, a user authenticates their identity with their home organization's IDP. Once successfully authenticated, this validated identity is presented to the service provider hosting the secured resource. The service provider then grants access to the resource after verifying the user's access privileges.
At 10.6.1, your ArcGIS Enterprise portal can be configured with a SAML-based federation of IDPs. The portal accesses the discovery service hosted by the federation, which provides a list of the identity providers and service providers participating in the federation.
Configure the federation with your portal
Follow these steps to configure a SAML-based federation of identity providers with your portal.
- Sign in to the portal website as an administrator and click Organization > Settings > Security.
- In the Enterprise Logins section, select the A federation of identity providers option, click the Set Enterprise Login button, and enter the description of your federation in the window that appears. This description is displayed to users accessing the portal website as part of the SAML sign in option.
- Choose how your users can join the portal organization:
- Automatically—Enables users to sign in to the organization with their enterprise login without needing permission from an administrator, as their account is automatically registered with the portal the first time they sign in
- Upon invitation from an administrator—Requires the portal administrator to register the necessary accounts with the organization using a command line utility or Python script
Esri recommends you designate at least one enterprise account as an administrator of your portal, and disable the Create an account button and sign up page (signup.html) in the portal website so that users cannot create their own accounts. For more information, see the Designate an enterprise account as an administrator section below
- Provide the URL to the centralized IDP discovery service hosted by the federation, such as https://wayf.samplefederation.com/WAYF.
- Provide the URL to the federation metadata, which is an aggregation of the metadata of all identity providers and service providers participating in the federation.
- Copy and paste the certificate, encoded in Base64 format, that allows the portal to verify the validity of the federation metadata.
- Configure advanced settings as applicable:
- Encrypt Assertion—Select this option to indicate to the SAML identity provider that your portal supports encrypted SAML assertion responses. When this option is selected, the identity provider encrypts the assertion section of the SAML response. All SAML traffic to and from the portal is already encrypted by the use of HTTPS, but this option adds another layer of encryption.
- Enable Signed Request—Select this option to have the portal sign the SAML authentication request sent to the IDP. Signing the initial login request sent by the portal allows the IDP to verify that all login requests originate from a trusted service provider.
- Propagate logout to Identity Provider—Select this option to have the portal use a logout URL to sign the user out from the IDP. If you select it, enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, the Enable Signed Request option also must be checked. If this option is not selected, clicking Sign Out in the portal website will sign the user out from the portal, but not from the IDP. If the user's web browser cache is not cleared, attempting to immediately sign back in to the portal using the enterprise login option will immediately log them in without needing to provide credentials to the IDP. This is a security vulnerability that can be exploited when using a computer easily accessible to unauthorized users or to the general public.
- Update profiles on sign in—Select this option to have the portal update users' givenName and email address attributes if they have changed since their last login. This is selected by default.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal organization to the SAML federation.
Register the portal with the SAML federation as a trusted service provider
To complete the configuration process, establish trust with the federation's discovery service and your organizational IDP by registering the portal's service provider metadata with them. There are two ways to obtain this metadata:
- In the Security section of the Edit Settings page for your organization, click the Get Service Provider button. This shows the metadata for your organization, which you can save as an XML file on your computer.
- Open the URL of the metadata and save as an XML file on your computer. The URL is https://webadaptorhost.domain.com/webadaptorname/sharing/rest/portals/self/sp/metadata?token=<token>, for example, https://samltest.domain.com/arcgis/sharing/rest/portals/self/sp/metadata?token=G6943LMReKj_kqdAVrAiPbpRloAfE1fqp0eVAJ-IChQcV-kv3gW-gBAzWztBEdFY. You can generate a token using https://webadaptorhost.domain.com/webadaptorname/sharing/rest/generateToken. When entering the URL in the Generate Token page, specify the fully qualified domain name of the identity provider server in the Webapp URL field. Choosing any other option, such as IP Address or IP Address of this request's origin, is not supported and may generate an invalid token.
Once you have downloaded the service provider metadata, contact the administrators of the SAML federation for instructions on how to integrate your metadata into the federation's aggregated metadata file. You will also need instructions from them to register your IDP with the federation.
Designate an enterprise account as an administrator
How you designate an enterprise account as an administrator of the portal will depend on whether users will be able to join the organization Automatically or After you add the accounts to the portal.
Join the organization automatically
If you chose the option to allow users to join the organization Automatically, open the portal website home page while logged in with the enterprise account you want to use as the portal administrator.
When an account is first added to the portal automatically, it is assigned the User role. Only an administrator of the organization can change the role on an account; therefore, you must sign in to the portal using the initial administrator account and assign an enterprise account to the administrator role.
- Open the portal website, click the option to sign in using a SAML identity provider, and provide the credentials of the enterprise account you want to use as an administrator. If this account belongs to someone else, have that user sign in to the portal so the account is registered with the portal.
- Verify that the account has been added to the portal and click Sign Out. Clear your browser's cache and cookies.
- While in the browser, open the portal website, click the option to sign in using a built-in portal account, and provide the credentials of the initial administrator account you created when you set up Portal for ArcGIS.
- Find the enterprise account you'll use to administer your portal, and change the role to Administrator. Click Sign Out.
The enterprise account you chose is now an administrator of the portal.
Manually add enterprise accounts to the portal
If you chose the option to only allow users to join the organization After you add the accounts to the portal, you'll need to register the necessary accounts with the organization using a command line utility or sample Python script. Be sure to choose the Administrator role for an enterprise account that will be used to administer the portal.
Demote or delete the initial administrator account
Now that you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Prevent users from creating their own accounts
After you've secured access to your portal, it is recommended that you disable the Create an account button and sign up page (signup.html) in the portal website so people cannot create their own accounts. This means all members sign in to the portal with their enterprise account and credentials, and unnecessary built-in accounts cannot be created. See Disabling users' ability to create built-in portal accounts for full instructions.
Disable signing in with ArcGIS accounts
If you want to prevent users from signing in to the portal using an ArcGIS account, you can disable the Using Your ArcGIS Account button on the sign in page using the following steps.
- Sign in to the portal website as an administrator of your organization and click Organization > Edit Settings > Security.
- In the Sign In Options section, choose the radio button for Their SAML IDP account only, where the IDP will vary depending on what you have configured for your portal.
- Click Save.
The sign in page will display the button to log in to the portal using an identity provider account and the button to log in Using Your ArcGIS Account will not be available. You can re-enable member logins with ArcGIS accounts by choosing the Their SAML IDP account or Portal for ArcGIS account under Sign In Options, where the IDP and name of your portal will vary depending on what you have configured.
Modify or remove the SAML identity provider
You can update the settings for your federation using the Edit Enterprise Login button, or remove the federation from your portal by using the Remove Enterprise Login button. These buttons appear once you've set up the federation with your portal. Once you remove it, you can set up a new identity provider or federation of identity providers if desired.