Security Assertion Markup Language (SAML) is an open standard that is used to securely exchange authentication and authorization data between an organization-specific identity provider and a service provider (in this case, your ArcGIS Enterprise organization). This approach is known as SAML Web Single Sign On. Show
The organization is compliant with SAML 2.0 and integrates with identity providers that support SAML 2 Web Single Sign On. The advantage of setting up SAML is that you do not need to create additional logins for users to access your organization; instead, they use the login that is already set up in an identity store. This process is described throughout the documentation as setting up organization-specific logins. Optionally, you can provide metadata to the portal about the SAML groups in your identity store. This allows you to create groups in the portal that use the existing SAML groups in your identity store. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the SAML group. If you do not provide the necessary SAML group metadata, you can still create groups. However, membership rules are controlled by the ArcGIS Enterprise portal, not the identity store. Match ArcGIS Online user names in the ArcGIS Enterprise portalIf the same SAML-compliant identity provider is used in your ArcGIS Online organization and your portal, the organization-specific user names can be configured to match. All organization-specific user names in ArcGIS Online have the organization short name appended to the end. The same organization-specific user names can be used in your portal by defining the defaultIDPUsernameSuffix property in the ArcGIS Enterprise portal's security configuration and setting it to match the organization's short name. This is needed if editor tracking is enabled on a feature service that is edited by organization-specific users from both ArcGIS Online and your portal. SAML sign inArcGIS Enterprise supports service provider (SP) initiated organization-specific logins and identity provider (IDP) initiated organization-specific logins. The sign in experience differs between each. Service provider initiated loginsWith service provider initiated logins, users access the portal directly and are presented with options to sign in with built-in accounts (managed by the portal) or accounts managed in a SAML-compliant identity provider. If the user chooses the SAML identity provider option, they are redirected to a web page (known as the login manager) where they are prompted to provide their SAML user name and password. Upon verification of the user’s login credentials, the SAML-compliant identity provider informs ArcGIS Enterprise of the verified identity of the user who is signing in, and the user is redirected back to the portal website. If the user chooses the built-in account option, the sign in page for the ArcGIS Enterprise portal website opens. The user then enters their built-in user name and password to access the website. You can use the built-in account option as a fail-safe in case the SAML-compliant identity provider is unavailable, provided the option to sign in with an ArcGIS account has not been disabled. Identity provider initiated loginsWith identity provider initiated logins, users directly access the login manager and sign in with their account. When the user submits their account information, the identity provider sends the SAML response directly to ArcGIS Enterprise. The user is then signed in and redirected to the portal website where they can immediately access resources without having to sign in to the organization again. The option to sign in using built-in accounts is not available from the login manager. To sign in to the organization with built-in accounts, members must access the portal website directly. If SAML logins fail to work due to issues with the identity provider and the built-in accounts option is disabled, you cannot access your ArcGIS Enterprise portal until you re-enable this option. See this question in Common problems and solutions for instructions. SAML identity providersArcGIS Enterprise supports all SAML-compliant identity providers. The following tutorials demonstrate how to configure certain common SAML-compliant identity providers with ArcGIS Enterprise:
The process of obtaining necessary metadata from the identity providers above is described in each link. The process of configuring identity providers with ArcGIS Enterprise is described below. Before proceeding, it is recommended that you contact the administrator of your SAML identity provider to obtain the parameters needed for configuration. For example, if your organization uses Microsoft Active Directory, the administrator responsible for this is the person to contact to configure or enable SAML on the organization-specific identity provider side and get the necessary parameters for configuration on the portal side. Required informationArcGIS Enterprise requires certain attribute information to be received from the IDP when a user signs in using SAML logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make federation work. Since ArcGIS Enterprise uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the username NameID will be created by the ArcGIS Enterprise organization in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the username created by ArcGIS Enterprise. ArcGIS Enterprise supports the inflow of a user's email address, group memberships, given name, and surname from the SAML identity provider. User profile mappingsThe following table lists which SAML assertion values map to which Portal user properties:
Configure the portal with a SAML identity providerYou can configure your portal so that users can sign in using the same user name and password that they use with your existing on-premises systems. Before setting up organization-specific logins, you must configure a default user type for your organization.
Designate an organization-specific account as an administratorHow you designate an organization-specific account as an administrator of the portal depends on whether users can join the organization automatically or upon invitation from an administrator. Join the organization automaticallyIf you chose the Automatically option to allow users to join the organization automatically, open the portal website home page while signed in with the organization-specific account you want to use as the portal administrator. When an account is first added to the portal automatically, it is assigned the default role configured for new members. Only an administrator of the organization can change the role on an account; you must sign in to the portal using the initial administrator account and assign an organization-specific account to the administrator role.
The SAML account you chose is now an administrator of the portal. Manually add organization-specific accounts to the portalIf you chose the Upon invitation from an administrator option to only allow users to join the organization with an invitation, you must register the necessary accounts with the organization using a command line utility. Choose the Administrator role for a SAML account that will be used to administer the portal. Demote or delete the initial administrator accountNow that you have an alternate portal administrator account, you can assign the initial administrator account to another role or delete the account. See About the initial administrator account for more information. Prevent users from creating their own accountsYou can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings. Prevent users from signing in with an ArcGIS accountTo prevent users from signing in to the portal using an ArcGIS account, turn off the ArcGIS login toggle button on the sign in page.
The sign in page displays the button to log in to the portal using an identity provider account and the ArcGIS login button is not available. To re-enable member logins with ArcGIS accounts, turn on the ArcGIS login toggle button in the Logins section. Modify or remove the SAML IDPWhen you've set up a SAML IDP, you can update the settings for it by clicking the Edit button next to the currently registered SAML IDP. Update the settings in the Edit SAML login window.To remove the currently registered IDP, click the Edit button next to the IDP and click Delete login in the Edit SAML login window. Once you've removed an IDP, you can optionally set up a new IDP or a federation of IDPs.Best practices for SAML securityTo enable SAML logins, you can configure ArcGIS Enterprise as an SP for your SAML IDP. To ensure robust security, consider the best practices described below. Digitally sign the SAML login and logout requests and sign the SAML assertion responseSignatures are used to ensure the integrity of SAML messages and act as a safeguard against man-in-the-middle (MITM) attacks. Digitally signing the SAML request also ensures that the request is sent by a trusted SP, allowing the IDP to better deal with denial-of-service (DOS) attacks. Turn on the Enable signed request option in advanced settings when configuring SAML logins. Enabling signed requests requires that the IDP be updated whenever the signing certificate used by the SP is renewed or replaced. Configure the SAML IDP to sign the SAML response to prevent in-transit altering of the SAML assertion response. Enabling signed requests requires that the SP (ArcGIS Enterprise) be updated whenever the signing certificate used by the IDP is renewed or replaced. Use the HTTPS endpoint of the IDPAny communication between the SP, the IDP, and the user's browser that is sent over either an internal network or the internet in an unencrypted format can be intercepted by a malicious actor. If your SAML IDP supports HTTPS, it is recommended that you use the HTTPS endpoint to ensure the confidentiality of data transmitted during SAML logins. Encrypt the SAML assertion responseUsing HTTPS for SAML communication secures the SAML messages sent between the IDP and SP. However, signed-in users can still decode and view the SAML messages through the web browser. Enabling the encryption of the assertion response prevents users from viewing confidential or sensitive information communicated between the IDP and SP. Enabling encrypted assertions requires that the IDP be updated whenever the encryption certificate used by the SP (ArcGIS Enterprise) is renewed or replaced. Securely manage the signing and encryption certificatesUse certificates with strong cryptographic keys for digitally signing or encrypting SAML messages, and renew or replace the certificates every three to five years. Feedback on this topic? What is passed from the service provider to the identity provider in a federated solution?SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign On with the identify provider, and then the identify provider can pass SAML attributes to the service provider when the user attempts to access those services.
Which are commonly passed from the service provider to the identity provider in a federated solution ?\?Answer: Tokens are commonly passed from the service provider to the identity provider in a federated solution.
What is service provider and identity provider?A service provider is a federation partner that provides services to the user. Identity provider. The Identity Provider authenticates the user and provides an authentication token (that is, information that verifies the authenticity of the user) to the service provider.
What is an identity provider in SSO solution?An identity provider is “a trusted provider that lets you use single sign-on (SSO) to access other websites.” SSO enhances usability by reducing password fatigue. It also provides better security by decreasing the potential attack surface.
|