Collection URL: https://esriurl.com/K12SSO
Version 3.1 - Released: January 2022
Today, Google reports nearly 70 million students and teachers use this suite via university or school district supplied login. Google Workspace, in addition to its productivity tools, has the ability to act as an identity provider (IdP) – allowing cloud service providers (SP) like ArcGIS Online to hang user authentication on existing technology infrastructure.
Requisites:
- Google Suite/Workspace/Class account with administrator access
- A domain name (required by Google)
- An ArcGIS Online Organizational subscription with administrator access ( learn more about free availability for schools)The steps below consist of creating a custom SAML app in G Suite and then configuring ArcGIS Online.
Configure Google Workspace SAML App
1. If you have not already, acquire and set-up Google Workspace and ArcGIS Online .
2. Login to your Google Workspace account
3. Access the admin dashboard: http://admin.google.com
4. Use the Main Menu (left side) to open the "Apps" group. Select "Web and mobile apps".
5. Click "Add App" and select "Add custom SAML app".
6. (Google step 1 of 4): Select a name and icon ( example ). We suggest "ArcGIS Online" for the name. Click "Continue".
7.(Google step 2 of 4): Google generates identity provider information for you. Download and save the metadata file in Option 1. Skip Option 2. Press "Continue".
8. (Google step 3 of 4): Add Service Provider Details (ArcGIS details). Set the following:
a. ACS URL (set to all lowercase) : https://.maps.arcgis.com/sharing/rest/oauth2/saml/signin
b. Entity ID (case-sensitive) : .maps.arcgis.com
Confirm exact name by looking in ArcGIS Online >> Organization > Settings > Security > Logins > Set up SAML Logins (button) > "One Identity Provider" > “Show Advanced Settings” link near bottom of the window. School down to Entity id.
c. Start URL : https://.maps.arcgis.com/home/signin.html?
d. Signed Response: unchecked (Base decision on your organization's security model.)
e. Name ID: Basic Information >> Student Id or other available unique identifier (Must absolutely be unique. See Advanced SSO documentation.) Data available in pull downs is dependent on how your Google Workspace is configured. Use of email address as NameId is a violation of COPPA .
f. Name ID Format: UNSPECIFIED. Press Next.
9. (Google step 4 of 4): Add Mappings (Note:Google has a limit of 100 total mappings across all apps):
10. Press Finish (save and close).
11. Review any feedback from Google. Press Ok.
Be sure to turn the app ON for Everyone or for Selected Users.
Configure ArcGIS Online
1. Login to your ArcGIS Online organization with Administrator privileges. This account will have been created manually (likely during original setup) and is not dependent on SSO. This account will remain viable during and after this setup, assuming you use the provided settings.
2. Click Organization in the top header.
3. Click the Settings tab. Note the left-hand navigation menu.
4. Click New Member Defaults (left-side navigation). These settings will apply to allnew user accounts - not just SSO-based accounts.
a. Click the pencil icon by words "User Type".
i. Important! Click pull down on right and set to "Creator" or "GIS Professional Advanced". Do not set to any other option in a school organizational account.
ii. Set "Role" to "Publisher".
b. "Add-on licenses" can usually be left at default.
c. "Groups" can be left at default.
d. Credit monitoring must be enabled before this option appears. Optionally, under "Credits", position pulldown to "Set allocation to". 100 is typically a good credit limit to start. (If "Credits" is not visible, you may need to enable credit monitoring by pressings "Credits" in the left most navigation and enabling.)
e. Default Esri Access: Disabled (By default, disallows access to Esri training and business systems. We recommend Disabled for schools but Enabled for colleges.)
5. Click Security (left-side navigation).
6. Scroll down to Logins >> SAML login.
7. Click button, "New SAML login".
a. Set to "One Identity Provider". Press Next.
b. Set the name. This will appear publicly on the ArcGIS Login page (above the ArcGIS Online login button) such as it does below. Examples: “Johnson Middle School” or “Esri University”.
c. Your users will be able to join: Automatically (This allows for anyone approved in your G Suite account to use SSO to enter ArcGIS Online.)
d. Metadata for the Enterprise Identity Provider….: File (Upload the file from Google previously downloaded.)
e. All other settings should autofill based on uploaded file. Advanced settings can typically be left at default - at least initially.
f. Press Save to create identity provider.
Test Settings -- Test your connection by either: Going to your ArcGIS Online organization (http://.maps.arcgis.com) and signing in via new single sign on button. -- Accessing your G Suite account and clicking the icon in your App Launcher. The new app icon will likely appear at the bottom of the list.
You are now ready to use ArcGIS Online with Google G Suite SSO!
Final Notes
Be sure to review Advanced SSO documentation for details on protecting student privacy via the NameID.
Use this document carefully and test your implementation first on non-productional systems.
For customized or more powerful user management, consider using the ArcGIS API for Python .