Configuring organization-specific logins, such as OpenID Connect logins, allows members of your organization to sign in to ArcGIS Enterprise using the same logins they use to access your organization's internal systems. The advantage of setting up organization-specific logins using this approach is that members do not need to create additional logins within the ArcGIS Enterprise system; instead, they can use the login that is already set up with the organization. When members sign in to ArcGIS Enterprise, they enter their organization-specific username and password into your organization's login manager, also known as your organization's identity provider (IDP). Upon verification of the member's credentials, the IDP informs ArcGIS Enterprise of the verified identity for the member who is signing in.
ArcGIS Enterprise supports the OpenID Connect authentication protocol and integrates with IDPs such as Okta and Google that support OpenID Connect.
Set up OpenID Connect logins
The process of configuring an OpenID Connect IDP with ArcGIS Enterprise is described below. Before proceeding, it is recommended that you contact the administrator of the IDP to obtain the parameters needed for configuration.
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- If you plan to allow members to join automatically, configure default settings for new members first.
If necessary, you can change these settings for specific members after they have joined the organization.
- Click New member defaults on the side of the page.
- Select the default user type and role for new members.
- Select the add-on licenses to automatically assign members when they join the organization.
- Select the groups to which members will be added when they join the organization.
- Click Security on the side of the page.
- In the Logins section, click New OpenID Connect login.
- In the Login button label box, type the text that you want to appear on the button that members use to sign in with their OpenID Connect login.
- Choose how members with OpenID Connect logins will join your organization: automatically or added by an administrator.
- In the Registered client ID box, enter the client ID from the IDP.
- In the Registered client secret box, enter the client secret from the IDP.
- In the Provider scopes/permissions box, enter the scopes to send along with the request to the authorization endpoint.
Note:ArcGIS Enterprise supports scopes corresponding to the OpenID Connect identifier, email, and user profile attributes. You may use the standard value of openid profile email for scopes if it is supported by your OpenID Connect provider. Refer to your OpenID Connect provider's documentation for the supported scopes.
- In the Provider issuer ID box, enter the identifier for the OpenID Connect provider.
- Fill in the OpenID Connect IDP URLs as follows:
Refer to the well-known configuration document for the IDP—for example, in https:/[IdPdomain]/.well-known/openid-configuration—for assistance with filling in the information below.
- For OAuth 2.0 authorization endpoint URL, enter the URL of the IDP's OAuth 2.0 authorization endpoint.
- For Token endpoint URL, enter the URL of the IDP's token endpoint for obtaining access and ID tokens.
- Optionally, for JSON web key set (JWKS) URL, enter the URL of the IDP's JSON Web Key Set document.
This document contains signing keys that are used to validate the signatures from the provider. This URL is only used if the User profile endpoint URL (recommended) is not configured.
- For User profile endpoint URL (recommended), enter the endpoint for getting identity information about the user.
If you do not specify this URL, the JSON web key set (JWKS) URL is used instead.
- Optionally, for Logout endpoint URL (optional), enter the URL of the authorization server's logout endpoint.
This is used to sign out the member from the IDP when the member signs out from ArcGIS.
- Turn on the Send access token in header toggle button if you want to have the token sent in a header instead of a query string.
- Optionally, turn on the Use PKCE enhanced Authorization Code Flow toggle button.
When this option is turned on, the Proof Key for Code Exchange (PKCE) protocol is used to make the OpenID Connect authorization code flow more secure. Every authorization request creates a unique code verifier, and its transformed value, the code challenge, is sent to the authorization server to obtain the authorization code. The code challenge method used for this transformation is S256, which means that the code challenge is a Base64 URL-encoded, SHA-256 hash of the code verifier.
- To complete the configuration process, copy the generated Login Redirect URI and Logout Redirect URI (if applicable), and add them to the list of allowed callback URLs for the OpenID Connect IDP.
- When you're finished, click Save.
Modify or remove the OpenID Connect IDP
When you've set up an OpenID Connect IDP, you can update its settings by clicking Configure login next to the currently registered IDP. Update your settings in the Edit OpenID Connect login window.
To remove the currently registered IDP, click Configure login next to the IDP and click Delete login in the Edit OpenID Connect login window.