Unlock the answers to your questions related to implementing the different sign in options for your ArcGIS Online organization.
Thanks to everyone who took time out of their busy day to attend the “Demystifying the ArcGIS Online Sign in Options” webinar on March 18. John Osborne and I really enjoyed getting into the details of how-to setup the different sign in methods for ArcGIS Online including social logins and SAML authentication.
Throughout the webinar we were asked many questions from our energetic audience on all aspects of the sign in process. John and I didn’t get a chance to address all the questions, so as promised we put together a Q&A that covers the group’s questions.
GETTING STARTED WITH THE ARCGIS ONLINE SIGN IN OPTIONS
There were several questions focused on the general login parameters and settings in ArcGIS Online. This wasn’t surprising since there are many methods that can be used to sign in. Many of the supporting configurations that you implement in ArcGIS Online also operate independently from the sign in method that is used.
Q: Can we change the login method of existing ArcGIS Online users?
A: No, once a user has been created it is not possible to change the login method they use.
Q: Can an ArcGIS Online user change their username after the account is setup?
A: You cannot change the actual username that identifies you as a unique user in ArcGIS Online. You can however change your name, which is also known as your profile name. Your profile and settings are the gateway to making these changes.
The profile name can be changed but the username cannot be changed.
Q: If a user uses both ArcGIS Enterprise and ArcGIS Online, does that use two licenses?
A: Yes. It is important to separate how a user identifies themselves to a system, from what they are licensed to do within that system. For this user to be authorized to use both ArcGIS Online and ArcGIS Enterprise, they will need to be assigned separate ArcGIS Online and ArcGIS Enterprise user types. While ArcGIS Enterprise and ArcGIS Online can be configured to use the same identity provider for user authentication, each environment is responsible for managing what that user is entitled to do.
Q: Groups are one of the most interesting sections in ArcGIS Online security. How do you use groups to share items from different organizations?
A: It is possible to share items across multiple organizations, between users of separate organizations, within an ArcGIS Online group. The ArcGIS Online Help provides details on how to share items with another organization.
CONFIGURING SOCIAL LOGINS
A portion of our webinar covered setting up and using social logins in ArcGIS Online. If you chose this option, your users can sign in to ArcGIS Online using their GitHub, Facebook, Google, or Apple login. A great resource for configuring social logins is this blog post by Bern Szukalski. Additionally, I created a video that walks through the steps of using social logins in your organization.
Q: Can you use the same social login account (your Facebook account) in multiple ArcGIS Online organizations?
A: Yes, you can use the same social login for multiple ArcGIS Online organizations. ArcGIS Online will present an option for you to pick the organization you want to sign in to.
Q: If allowing social media logins for an ArcGIS Hub site (citizen/community engagement account), does that consume an organizational ArcGIS Online account? Can social media sign in be limited to ArcGIS Hub initiatives or is it applied to the entire organization?
A: The social media logins for an ArcGIS Hub site do not consume an organizational ArcGIS Online account. These logins for an ArcGIS Hub site are also known as community accounts and do not provide entry to your organization’s official ArcGIS Online homepage. While users can use social media logins to access ArcGIS Hub initiatives, you do not need to allow social media logins to our organization’s official ArcGIS Online subscription.
CONFIGURING SAML LOGINS
The second half of our webinar involved a deep dive into setting up SAML logins in ArcGIS Online. Configuring organization-specific SAML logins allows members of your organization to sign in to ArcGIS Online using the same logins they use to access your organization's internal system’s identity provider (IDP). In the webinar, John and I used Azure Active Directory as the IDP but ArcGIS Online will integrate with any IDP that supports SAML 2.0.
Using SAML logins simplifies the ArcGIS Online administrator’s duties as well because they leverage your organization’s IDP to manage user access to ArcGIS Online. For instance, when a person leaves your organization their user access will be disabled in the IDP and this in turn will disable access to the ArcGIS Online system.
Q: Do the SAML logins count against the number of available users in your ArcGIS Online pool of users?
A: Yes. SAML logins provide a way for you to define how a user is authenticated. ArcGIS Online still performs the task of ensuring that the user is authorized and licensed to use the requested resources. In our demonstration, we had ArcGIS Online automatically register these users when they connected for the first time without sending invitations. In this configuration, a new SAML login will be assigned a user type and role as configured in the new member defaults section of your organization settings. This will consume one of your allotted users of the defined type.
Q: If you have existing ArcGIS logins and migrate to SAML logins, do you need to create another account for existing users? If so, is there a way to merge the accounts?
A: Yes, if you are moving to SAML logins from ArcGIS logins you will need to create another account for your existing users to leverage SAML authentication. To move content between the accounts you can use the change owner functionality to move items from one account to another.
Q: Once SAML is set up and users are signed in to the Azure identity provider, do they still need to sign in to ArcGIS Online through Azure Active Directory or do they not need to sign in to ArcGIS Online?
A: The users will need to be authenticated in ArcGIS Online using their Azure Active Directory credentials. If they are already signed in to Azure in an active browser session, they will not be challenged for their credentials when signing in to ArcGIS Online.
Q: Does the user's role that has already been set up in the Azure identity provider carry over to ArcGIS Online with SAML authentication? For example, if they are a Data Editor in Azure and your default new members are Viewers in ArcGIS Online, will they automatically be Data Editors in ArcGIS Online?
A: The roles assigned within your identity provider do not carry over to ArcGIS Online. While it is possible to assign ArcGIS Online group membership within the identity provider, role assignment is done within ArcGIS Online.
Q: Will the SAML provider pass the user credentials through to an un-federated standalone ArcGIS Server using Integrated Windows Authentication to authenticate for secure feature services contained in web maps and apps?
A: A standalone ArcGIS Server does not support SAML logins. For ArcGIS Server to leverage SAML logins, it will need to be federated with the Portal for ArcGIS component of an ArcGIS Enterprise deployment. It is also important to remember that credentials are only passed to the SAML identity provider. Once the provider authenticates the user, it creates a SAML artifact that is shared with the trusted service provider.
You might be interested in additional new functionalities that have been introduced in the latest release of ArcGIS Online related to accounts and administration that John and I didn’t have a chance to cover. Check out the ArcGIS Online Help for more information.
Thanks again for joining us on the webinar, please consider registering for one of our future webinars.