You can configure Okta as your identity provider (IDP) for SAML logins in ArcGIS Enterprise. The configuration process involves two main steps: registering your SAML IDP with ArcGIS Enterprise and registering ArcGIS Enterprise with the SAML IDP.
Note:
To ensure that your SAML logins are configured securely, review the best practices for SAML security.
Required information
ArcGIS Enterprise requires certain attribute information to be received from the IDP when a user signs in using SAML logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make federation work. Since ArcGIS Enterprise uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID will be created by the ArcGIS Enterprise organization in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Enterprise.
ArcGIS Enterprise supports the inflow of a user's email address, group memberships, given name, and surname from the SAML identity provider.
Register Okta as the SAML IDP with ArcGIS Enterprise
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the left side of the page.
- In the Logins section, click the New SAML login button, and select the One identity provider option. On the Specify properties page, type your organization's name (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign-in option (for example, Using your City of Redlands account).
Note:
You can only register one SAML IDP, or one federation of IDPs, for your portal.
- Choose Automatically or Upon invitation from an administrator to specify how users can join the organization. Selecting the first option allows users to sign in to the organization with their SAML login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility. Once the accounts have been registered, users can sign in to the organization.
Tip:
It's recommended that you designate at least one SAML account as an administrator of your portal and demote or delete the initial administrator account. It is also recommended that you disable the Create an account button in the portal website so people cannot create their own accounts. For full instructions, see Configure a SAML-compliant identity provider with your portal.
- Provide metadata information for the IDP using one of the options below:
- File—Download or obtain a copy of the federation metadata file fromOkta and upload the file to ArcGIS Enterprise using the File option.
Note:
If this is the first time you are registering a service provider with Okta, you will need to get the metadata file after registering ArcGIS Enterprise with Okta. - Parameters specified here—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your Okta administrator to obtain these.
- File—Download or obtain a copy of the federation metadata file fromOkta and upload the file to ArcGIS Enterprise using the File option.
- Configure the advanced settings as applicable:
- Encrypt Assertion—Enable this option to encrypt the Okta SAML assertion responses.
- Enable signed request—Enable this option to have ArcGIS Enterprise sign the SAML authentication request sent to Okta.
- Propagate logout to Identity Provider—Enable this option to have ArcGIS Enterprise use a logout URL to sign out the user from Okta. Enter the URL to use in the Logout URL setting. If the IDP requires the logout URL to be signed, Enable signed request needs to be turned on.
- Update profiles on sign in—Enable this option to have ArcGIS Enterprise update users' givenName and email address attributes if they have changed since they last signed in.
- Enable SAML based group membership—Enable this option to allow organization members to link specified SAML-based groups to ArcGIS Enterprise groups during the group creation process.
- Logout URL—The IDP URL to use to sign out the currently signed in user.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal to Okta.
The Encrypt Assertion and Enable signed request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.
- When finished, click Save.
- Click Download service provider metadata to download the portal's metadata file. Information in this file will be used to register the portal as the trusted service provider with Okta.
Register ArcGIS Enterprise as the trusted service provider with Okta
- Log in to your Okta organization as a member with administrative privileges.
- On the Applications tab, click the Add Application button.
- Click Create New App and select the SAML 2.0 option. Click Create.
- In General Settings, enter an App Name for your portal deployment and click Next.
- On the Configure SAML tab, do the following:
- Enter the value for Single sign on URL, for example, https://portalhostname.domain.com/portalcontext/sharing/rest/oauth2/saml/signin. This value can be copied from the service provider metadata file downloaded from your portal.
- Enter the value for the Audience URI. The default value is set to portalhostname.domain.com.portalcontext. This value can be copied from the service provider metadata file downloaded from your portal.
- Leave the Name ID format as Unspecified.
- Under Advanced Settings, change the Assertion Signature option to Unsigned.
- In the Attribute Statements section, add these attribute statements:
givenName set to user.firstName
surname set to user.lastName
email set to user.email
- Click Next and click Finish.
- You will now see the Sign On section of your newly created SAML application. To get the Okta IDP metadata, click the Sign On tab and click the Identity Provider metadata link.
- Right-click the People tab and configure which Okta authenticated users will have access to in your portal.