You can configure NetIQ Access Manager 3.2 and later versions as your identity provider (IDP) for SAML logins in ArcGIS Enterprise. The configuration process involves two main steps: registering your SAML IDP with ArcGIS Enterprise and registering ArcGIS Enterprise with the SAML IDP.
Note:
To ensure that your SAML logins are configured securely, review the best practices for SAML security.
Required information
ArcGIS Enterprise requires certain attribute information to be received from the IDP when a user signs in using SAML logins. The NameID attribute is mandatory and must be sent by your IDP in the SAML response to make federation work. Since ArcGIS Enterprise uses the value of NameID to uniquely identify a named user, it is recommended that you use a constant value that uniquely identifies the user. When a user from the IDP signs in, a new user with the username NameID will be created by the ArcGIS Enterprise organization in its user store. The allowed characters for the value sent by NameID are alphanumeric, _ (underscore), . (dot), and @ (at sign). Any other characters will be escaped to contain underscores in the username created by ArcGIS Enterprise.
ArcGIS Enterprise supports the inflow of a user's email address, group memberships, given name, and surname from the SAML identity provider.
Register NetIQ Access Manager as the SAML IDP with ArcGIS Enterprise
- Verify that you are signed in as an administrator of your organization.
- At the top of the site, click Organization and click the Settings tab.
- Click Security on the left side of the page.
- In the Logins section, click the New SAML login button, and select the One identity provider option. On the Specify properties page, type your organization's name (for example, City of Redlands). When users access the portal website, this text displays as part of the SAML sign-in option (for example, Using your City of Redlands account).
Note:
You can only register one SAML IDP, or one federation of IDPs, for your portal.
- Choose Automatically or Upon invitation from an administrator to specify how users can join the organization. Selecting the first option allows users to sign in to the organization with their SAML login without any intervention from an administrator. Their account is registered with the organization automatically the first time they sign in. The second option requires the administrator to register the necessary accounts with the organization using a command line utility. Once the accounts have been registered, users can sign in to the organization.
Tip:
It's recommended that you designate at least one SAML account as an administrator of your portal and demote or delete the initial administrator account. It is also recommended that you disable the Create an account button in the portal website so people cannot create their own accounts. For full instructions, see Configure a SAML-compliant identity provider with a portal.
- Provide metadata information for the IDP using one of the three options below:
- URL—Choose this option if the URL of NetIQ Access Manager federation metadata is accessible by ArcGIS Enterprise. The URL is usually https://<host>:<port>/nidp/saml2/metadata on the machine where NetIQ Access Manager is running.
Note:
If your SAML IDP includes a self-signed certificate, you may encounter an error when attempting to specify the HTTPS URL of the metadata. This error occurs because ArcGIS Enterprise cannot verify the identity provider's self-signed certificate. Alternatively, use HTTP in the URL, one of the other options below, or configure your IDP with a trusted certificate.
- File—Choose this option if the URL is not accessible by ArcGIS Enterprise. Obtain the metadata from the URL above, save it as an XML file, and upload the file.
- Parameters specified here—Choose this option if the URL or federation metadata file is not accessible. Enter the values manually and supply the requested parameters: the login URL and the certificate, encoded in the BASE 64 format. Contact your NetIQ Access Manager administrator to obtain these.
- URL—Choose this option if the URL of NetIQ Access Manager federation metadata is accessible by ArcGIS Enterprise. The URL is usually https://<host>:<port>/nidp/saml2/metadata on the machine where NetIQ Access Manager is running.
- Configure the advanced settings as applicable:
- Encrypt Assertion—Enable this option if NetIQ Access Manager will be configured to encrypt SAML assertion responses.
- Enable signed request—Enable this option to have ArcGIS Enterprise sign the SAML authentication request sent to NetIQ Access Manager.
- Propagate logout to Identity Provider—Enable this option to have ArcGIS Enterprise use a Logout URL to sign out the user from Net IQ Access Manager. Enter the URL to use in the Logout URL setting. If the IDP requires the Logout URL to be signed, Enable signed request needs to be turned on.
- Update profiles on sign in—Enable this option to have ArcGIS Enterprise update users' givenName and email address attributes if they have changed since they last signed in.
- Enable SAML based group membership—Enable this option to allow organization members to link specified SAML-based groups to ArcGIS Enterprise groups during the group creation process.
- Logout URL—The IDP URL to use to sign out the currently signed in user. This value is automatically populated if defined in the IDP's metadata file. You can update this URL as needed.
- Entity ID—Update this value to use a new entity ID to uniquely identify your portal to NetIQ Access Manager.
The Encrypt Assertion and Enable signed request settings use the certificate samlcert in the portal keystore. To use a new certificate, delete the samlcert certificate, create a certificate with the same alias (samlcert) following the steps in Import a certificate into the portal, and restart the portal.
- Click Save.
Register ArcGIS Enterprise as the trusted service provider with NetIQ Access Manager
- Configure an attribute set.
Follow the steps below to create a new attribute set so the attributes can be sent to ArcGIS Enterprise as part of the SAML assertion after authenticating the user. If you have an existing attribute set already configured in your NetIQ Access Manager, you can use that set as well.
- Sign in to the NetIQ Access Manager administration console. This is usually available at https://<host>:<port>/nps.
- Browse to your identity server in the NetIQ admin console and click the Shared Settings tab. Under Attribute Sets, you'll see any attribute sets you've already created. Click New and create a new attribute set. Enter Portal under Set Name and click Next.
- Define the attribute mappings and add them to the attribute set you created in the previous step.
Click the New link and add any new attribute mappings. The screen captures below show adding attribute mapping for givenName, email address, and uid. You can choose any attributes from your authentication source instead of these examples.
Click Finish in the Create Attribute Set wizard. This creates a new attribute set named Portal.
- Follow the steps below to add ArcGIS Enterprise as a trusted provider with NetIQ Access Manager.
- Sign in to the NetIQ admin console, choose your identity server, and click the Edit link.
The General tab opens.
- Click the SAML 2.0 tab and click New > Service Provider.
The Service Provider window is where you add ArcGIS Enterprise as a trusted service provider with NetIQ Access Manager.
- In the Create Trusted Service Provider wizard, click Metadata Text as the Source and paste the metadata of your ArcGIS Enterprise organization in the Text box.
To get the metadata of your ArcGIS Enterprise portal, sign in to your organization as an administrator, click the Settings tab, click Security on the left side of the page. In the Logins section, under SAML login, click the Download service provider metadata button to download the metadata file for your organization.
Click Next and click Finish to finish adding the trusted service provider.
- Sign in to the NetIQ admin console, choose your identity server, and click the Edit link.
- Follow the steps below to configure ArcGIS Enterprise and NetIQ Access Manager federation properties.
- On the SAML 2.0 tab, click the service provider link under Service Providers. The Configuration tab opens. Click the Metadata tab and verify that the metadata for your ArcGIS Enterprise organization is correct.
- Click the Configuration tab to go back to the Trust section of the configuration. Select the Encrypt assertions option if you chose the advanced setting Encrypt Assertion when registering NetIQ Access Manager as the SAML IDP with ArcGIS Enterprise.
- Click the Attributes tab.
In this step, you add the attribute mapping from the set you previously created so NetIQ Access Manager can send the attributes to ArcGIS Enterprise in the SAML assertion.
Select the attribute set you defined in step 2.1 above. After you select your attribute set, the attributes you defined in the set appear in the Available box. Move your givenName and email attributes to the Send with authentication box.
- Click the Authentication Response tab under the Configuration tab of the service provider and set up the authentication response.
Click Post from the Binding drop-down menu.
In the Name Identifier column, check the box next to Unspecified.
In the Default column, select the radio button next to Unspecified.
In the Value column, choose Ldap Attribute uid.
Note:
You can configure any other unique attribute in the attribute set from your authentication source to be sent as NameID. The value of this parameter will be used as the username in the organization.
Click Apply.
- Under Configuration, click the Options tab and choose your user authentication contract, for example, Name/Password - Form, and click Apply.
- Restart NetIQ Access Manager by browsing to your identity server and clicking the Update All link.