You can configure OpenAM 10.1.0 and later versions as your identity provider (IDP) for SAML logins in ArcGIS Enterprise. The configuration process involves two main steps: registering your SAML IDP with ArcGIS Enterprise and registering ArcGIS Enterprise with the SAML IDP.
Note:
To ensure that your SAML logins are configured securely, review the best practices for SAML security.
Required information
ArcGIS Enterprise requires certain attribute information to be received from the IDP when a user signs in using SAML logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make federation work. Since ArcGIS Enterprise uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the user name NameID will be created by the ArcGIS Enterprise organization in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the user name created by ArcGIS Enterprise.
ArcGIS Enterprise supports the inflow of a user's email address, group memberships, given name, and surname from the SAML identity provider.
Register OpenAM as the SAML IDP with ArcGIS Enterprise
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the left side of the page.
- In the Logins section, click the New SAML login button, and select the One identity provider option. On the Specify properties page, type your organization's name (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign-in option (for example, Using your City of Redlands account).
Note:
You can only register one SAML IDP, or one federation of IDPs, for your portal.
- Choose Automatically or Upon invitation from an administrator to specify how users can join the organization. Selecting the first option allows users to sign in to the organization with their SAML login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility. Once the accounts have been registered, users can sign in to the organization.
Tip:
It's recommended that you designate at least one SAML account as an administrator of your portal and demote or delete the initial administrator account. It is also recommended that you disable the Create an account button in the portal website so people cannot create their own accounts. For full instructions, see Configure a SAML-compliant identity provider with your portal.
- Provide metadata information for the IDP using one of the three options below:
- URL—Choose this option if the URL of OpenAM federation metadata is accessible by ArcGIS Enterprise. The URL is usually https://<host>:<port>/openam/saml2/jsp/exportmetadata.jsp.
Note:
If your SAML IDP includes a self-signed certificate, you may encounter an error when attempting to specify the HTTPS URL of the metadata. This error occurs because ArcGIS Enterprise cannot verify the IDP's self-signed certificate. Alternatively use HTTP in the URL, one of the other options below, or configure your IDP with a trusted certificate.
- File—Choose this option if the URL is not accessible by ArcGIS Enterprise. Obtain the metadata from the URL above, save it as an XML file, and upload the file.
- Parameters specified here—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your OpenAM administrator to obtain these.
- URL—Choose this option if the URL of OpenAM federation metadata is accessible by ArcGIS Enterprise. The URL is usually https://<host>:<port>/openam/saml2/jsp/exportmetadata.jsp.
- Configure the advanced settings as applicable:
- Encrypt Assertion—Enable this option if OpenAM will be configured to encrypt SAML assertion responses.
- Enable signed request—Enable this option to have ArcGIS Enterprise sign the SAML authentication request sent to OpenAM.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal to OpenAM.
- Update profiles on sign in—Enable this option to have ArcGIS Enterprise update users' givenName and email address attributes if they have changed since they last signed in.
- Enable SAML based group membership—Enable this option to allow organization members to link specified SAML-based groups to ArcGIS Enterprise groups during the group creation process.
The Encrypt Assertion and Enable signed request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.
Note:
Currently, Propagate logout to Identity Provider and Logout URL are not supported.
- Click Save.
Register ArcGIS Enterprise as the trusted service provider with OpenAM
- Configure a hosted IDP in OpenAM.
- Sign in to the OpenAM administration console. This is usually available at https://servername:port/<deploy_uri>/console.
- On the Common Tasks tab, click Create Hosted Identity Provider.
- Create a hosted IDP and add it to a Circle of Trust. You can add it to an existing circle of trust if you already have it or create a new circle of trust.
- By default, the hosted IDP works with OpenDJ, the embedded user store that comes with OpenAM. If you want to connect OpenAM to any other user stores such as Active Directory, you need to create a new data source on the Access Control tab of the mainOpenAM administration console.
- Configure ArcGIS Enterprise as a trusted service provider with OpenAM.
- Obtain the metadata file of your portal and save it as an XML file.
To get the metadata file, sign in as an administrator of your organization and open your organization page. Click the Settings tab and click Security on the left side of the page. In the Logins section, under SAML login, click the Download service provider metadata button.
- In the OpenAM administration console under Common Tasks, click Register Remote Service Provider.
- Select the File option for the metadata and upload the metadata XML file saved in the previous step.
- Add this service provider to the same circle of trust to which you added your IDP.
- Obtain the metadata file of your portal and save it as an XML file.
- Configure the NameID format and attributes that OpenAM needs to send to ArcGIS Enterprise after authenticating the user.
- In the OpenAM administration console, click the Federation tab. The tab contains the circle of trust you previously added and the service and IDP.
- Under Entity Providers, click your IDP.
- On the Assertion Content tab, under Name ID Format, verify that urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is listed at the top. This is the format of NameID that ArcGIS Enterprise will request in its SAML request to OpenAM.
- Under Name ID Value Map, map an attribute from the user's profile, such as mail or upn, that will be returned as NameID to ArcGIS Enterprise after the user is authenticated.
Example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified =upn
- Click the Assertion Processing tab in the IDP. Under Attribute Mapper, configure attributes from the user profile that you want to be sent to ArcGIS Enterprise.
Click Save to save the NameID format and the attribute content changes.
- On the Federation tab of the OpenAM administration console, browse to the ArcGIS Enterprise service provider under Entity Providers.
- On the Assertion Content tab, under Encryption, select the Assertion option if you chose the advanced setting Encrypt Assertion when registering OpenAM as the SAML IDP with ArcGIS Enterprise.
- Under Name ID Format, verify that urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is listed at the top. This is the format of NameID that ArcGIS Enterprise will request in its SAML request to OpenAM..
- Click the Assertion Processing tab in the IDP. Under Attribute Mapper, configure attributes from the user profile that you want to be sent to ArcGIS Enterprise.
- Click Save to save the Name ID Format and the attribute content changes.
- Restart the web server where OpenAM is deployed.