Skip to main content

How partners can set up a single sign-on experience with ArcGIS: part 1

Want to make your ArcGIS apps easier to access for your customers? In this first part of our two-part blog post series, Esri Canada technical solutions specialist Brianna Kelly and solution architect John Osborne take you through a step-by-step process for configuring single sign-on so that you can simplify user management and security.

Access to resources within a secure ArcGIS application is built around the notion of identity. This identity, or ArcGIS identity, is a named user credential that defines the privileges granted to a specific user of your application. While it’s possible to perform all identity management within ArcGIS, many business partners have already adopted a third-party identity access management (IAM) system to control access to their complete solution. Since ArcGIS identities use OAuth 2.0, an industry standard protocol for authorization, you can integrate these two environments and create a single sign-on experience for your users.

Using an approved sales authorization, which grants qualified partners the right to include Esri technology as part of their commercial offering, partners can take advantage of Partner User Types: ArcGIS identities exclusive to Esri business partners than can be used in your ArcGIS applications.

This tutorial will demonstrate how to configure SAML logins in ArcGIS Enterprise with Auth0, an IAM system popular among developers. Many of the concepts discussed in these tutorials will also apply to other IAMs supported by ArcGIS Enterprise.

The steps in this blog post series are available on GitHub. The repository on GitHub also includes optional steps mentioned in this blog post. In the second part of this blog post series, we demonstrate how to build a single sign-on web application.

Although these two blog posts are directed towards our business partner community and focus on Partner User Types in ArcGIS Enterprise, the steps outlined in this series can be used by the greater Esri user community. They apply to all ArcGIS user types on either ArcGIS Enterprise or ArcGIS Online.

Want to find out more about becoming a member of the Esri Partner Network? Get more information now.

To follow along with this tutorial, you’ll need, at a minimum:

  • ArcGIS Enterprise 11 (minimum version 10.9.1) – Administrator account with privileges
  • Lite Partner User Type annual subscription (available to Partners only) or Viewer User Type annual subscription
  • Auth0 account – Auth0 free plan

At the end of this article, your ArcGIS Enterprise environment will be configured to use Auth0 to authenticate your users.

An animated GIF that demonstrates the process of logging into ArcGIS Enterprise using an Auth0 account. First, the user accesses the ArcGIS Enterprise login screen and selects “Sign In”. Then they click the “Auth0 login” button, insert their email address and password on the ensuing screen, and click “Continue”. Then, they select “View my settings” on the ensuing screen and navigate to “Licenses” in the left-hand menu.

Now that we’ve introduced what will be covered in this tutorial and the technical requirements, let’s dive right in!

Part 1: Configure New Member Defaults in ArcGIS Enterprise

When using an IAM like Auth0 to authenticate an ArcGIS Enterprise user, it’s a good practice to configure the default user type and role that a typical Auth0 user will inherit when initially logging in.

  1. Log into your ArcGIS Enterprise as an administrator.
  2. Under the Organization tab, go to Settings, then to New member defaults.
  3. Click the pencil icon under User type.
  4. Select Lite as the default User type and select Viewer as the default Role.
  5. Click Save.

For more information on this topic, review the ArcGIS Online help topic Configure new member defaults.

Part 2: Configure Auth0 as a SAML Identity Provider for ArcGIS Enterprise

  1. Log into your Auth0 account. From your Auth0 dashboard, click on Create Application. Select Single Page Web Application and give your new app a name, then click Create.
  2. Select JavaScript as the technology you are using for your web app.
  3. Under the newly created app’s Settings, expand Advanced Settings.
  4. Select Endpoints and copy the SAML Metadata URL.
  5. Log into your ArcGIS Enterprise as an administrator.
  6. Under the Organization tab, go to Settings and select Security.
  7. Under Logins, select New SAML login. This is where Auth0 will be configured as a SAML Login Identity Provider.
  8. Select One identity provider and click Next.
  9. Provide a name for the organization.
  10. Under Your users will be able to join, select Automatically.
  11. Under Metadata source for Enterprise Identity Provider, make sure the URL option is selected, then paste the SAML Metadata URL copied in Step 4 into the field.
  12. Click Save.

These steps define the minimal configuration parameters required to invite Auth0 users to join your ArcGIS Enterprise portal. Auth0 users will join automatically when they log in to ArcGIS Enterprise portal for the first time. If you prefer to invite Auth0 users, view the Portal for ArcGIS help topic Add members to your portal. Further configuration steps are continued in Part 3.

Part 3: Configure ArcGIS Enterprise as a Service Provider to Auth0

  1. Log into your ArcGIS Enterprise as an administrator.
  2. Under the Organization tab, go to Settings, then to Security.
  3. Under Logins, next to Auth0 login > SAML login, select Configure login.
  4. In the Edit SAML login dialogue box, select Download service provider metadata to extract the ArcGIS Enterprise metadata you’ll need to further configure Auth0.
  5. Save and open the downloaded XML file.
  6. Locate the “AssertionConsumerService” tag. Copy the URL shown under the Location attribute. The URL should follow this pattern:

https://hostname.fqdn/webadaptor/sharing/rest/oauth2/saml/signin

  1. On your Auth0 dashboard, select Applications, then navigate to your ArcGIS app.
  2. Select the Addons tab.
  3. Enable the SAML2 WEB APP Addon. The configuration dialogue box will open.
  4. Select the Settings tab and paste the URL copied in Step 6 into the Application Callback URL input box.
  5. Scroll to the bottom of the configuration dialogue box and select Enable and Save.

You have now configured Auth0 as an identity provider that sends SAML responses to ArcGIS Enterprise.

 

Part 4: Customize the Auth0 SAML Assertion

  1. From your Auth0 Dashboard, click on Applications, then select your ArcGIS app.
  2. Navigate to the Addons tab.
  3. Select SAML2 WEB APP to open the configuration dialogue box.
  4. Navigate to the Settings tab, then replace the JSON text in the Settings field with the following:

```
    {
        "mappings": {

            "nickname":    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",


            "email":       "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "name":        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "given_name":  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "upn":         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
            "groups":      "http://schemas.xmlsoap.org/claims/Group"
        }
    }
    ```

  1. Click Save.

The Auth0 identity username and profile is now properly encoded in the SAML assertion returned to ArcGIS Enterprise. For more information on this topic, review the Auth0 help topic Customize SAML Assertions.

Part 5: Configure Advanced SAML Settings in ArcGIS Enterprise

  1. Log into ArcGIS Enterprise as an administrator.
  2. Under the Organization tab, go to Settings, then to Security.
  3. Under Logins, next to Auth0 login > SAML login, select Configure login.
  4. In the Edit SAML login dialogue box, select Show advanced settings.
  5. Enable the following parameters:
    1. Turn on Enable signed request.
    2. Enable Sign using SHA256.
    3. Enable Propagate logout to Identity Provider.

While encrypting the SAML assertion is not necessary to complete this tutorial, it is a recommended best practice for securing production environments. To encrypt the assertion, an Auth Pipeline Rule must be configured in the Auth0 Dashboard. To learn more about Auth Pipeline Rules, visit the Auth0 help topic Sign and Encrypt SAML Requests. The additional steps required to encrypt the assertion are included in the GitHub repository associated with this blog.

  1. Click Save.
  2. Open the ArcGIS configuration text file. Locate the “SingleLogoutService” tag. Copy the URL shown under the Location attribute. The URL should follow this pattern:

https://hostname.fqdn/webadaptor/sharing/rest/oauth2/saml/signout

  1. On your Auth0 dashboard, select Applications, then navigate to your ArcGIS app.
  2. Select the Addons tab.
  3. Select SAML2 WEB APP to open the configuration dialogue box.
  4. Navigate to the Settings tab, and replace the JSON text within the Settings field with the following:

    ```
    {
        "logout": {
            "callback": "REPLACE_WITH_SIGNOUT_URL_FROM_ARCGIS_METADATA",
            "slo_enabled": true
        },    
        "mappings": {

            "nickname":    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",


            "email":       "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
            "name":        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
            "given_name":  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
            "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
            "upn":         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
            "groups":      "http://schemas.xmlsoap.org/claims/Group"
        }
    }
    ```

Note: Be sure to use the URL copied from Step 7 as the callback parameter above.

  1. Click Save. Close the dialogue box.
  2. Navigate to Settings in your Auth0 Single Page Application.
  3. Add the callout parameter copied from Step 7 to the Allowed Callback URLs.
  4. Click Save Changes.

Signing the SAML request sent by ArcGIS Enterprise to Auth0 helps to secure the transactions between each environment. You can further secure this communication by encrypting the assertion created by Auth0. Finally, ArcGIS Enterprise is now configured to notify Auth0 when a user logs out of ArcGIS Enterprise.

What’s next?

This concludes part one of our two-part blog post series. To learn more about how to build a single sign-on web app, check out part two.

If you’re interested in adding ArcGIS technology to a commercial application or have questions about the Sales Authorization process, please contact us at bpp@esri.ca.

About the Author

Brianna Kelly is a Technical Solutions Specialist on the Strategic Alliances team at Esri Canada. She supports business partners in the Esri Partner Network (EPN) across Canada with partner programs, benefits and Esri technology enablement.

Profile Photo of Brianna Kelly