Users don't automatically get added to AD-linked Portal groups on SAML signin

Jay_Gregory · ‎10-06-2022

I am sure I am misunderstanding how this all should be set up.

We have configured Portal's identity user and group store to use LDAP. We are able to create groups and link those groups to existing enterprise / AD groups. We are able to create user accounts in bulk via the "Add members based on existing enterprise users" and adding members from an enterprise group (i.e. AD group).

However, when a user logs into Portal (they log in via SAML not IWA or AD credentials), I was under the impression their account (since the SAML IDP is passing the correct username) would be added to any AD-linked Portal group of which the user should be a member.

Currently that is not happening.

And furthermore, I thought Portal would also automatically update those groups with the correct members every day at midnight, which is also not happening.

Any ideas what could be going on here? Is there some disconnect with the SAML setup for login, and the user/group LDAP identity stores?

Scott_Tansley · ‎10-06-2022

What software version are you using? The group connection via AD disappeared back in about 10.6.1 or 10.7.1... Since then you've needed to configure your SAML2 Identity Provider to send the AD groups as apart of the token exchange.

The Enterprise Portal receives the token as a string of text, and that needs to be matched to groups that you create in the Portal. This text matching is what allows your users to be authorised to access portal items.

The reason for this, I believe, is because many organisations started deploying Enterprise to the cloud, and the servers weren't physically attached to the AD to 'read' the groups.

It is still possible to use LDAP/AD through integrated windows authentication, but that uses the Web Adaptor in IWA mode. If using SAML2 then your Web Adaptor should be anonymous, and there should be no connectivity from your Enteprise Portal to LDAP. They are very separate methodologies for security the environment.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

Jay_Gregory · ‎10-06-2022

@Scott_Tansley We are at 10.9, deployed in AWS. We do have "Enable SAML based group membership" enabled in our Portal Security settings for SAML login. Are you saying we need to work with our SAML IDP to ensure they are sending AD groups info along with user information? It's possible that our SAML provider might not have visibility into the AD groups though - I'd have to check. I'm not really on that side of the house.

Our Portal can certainly connect to AD groups somehow, since we're able to add users to the Portal by specifying an AD group from which to pull users (described above via adding users in bulk). And we are NOT using Web Adaptor in IWA mode.

I guess this is my confusion, since I'm not quite clear how this _should_ be setup. We want users to login via SAML identity provider with their PIV card, but we want to leverage existing AD groups for security by linking Portal groups to AD groups and having users populate automatically when they login. Need to figure out the best way to set this up, if its possible.

JeffSmith · ‎10-07-2022

@Jay_Gregory- Once support for SAML based groups was added to ArcGIS Enterprise around release 10.7, that became the recommended workflow. Technically using SAML for logins and LDAP for enterprise groups should still work though. A couple of things to double-check:

* The username attribute used by SAML (corresponding to the "Name ID") needs to match the "usernameAttribute" specified in the group store configuration json string. If you are connecting to Active Directory, this is usually "sAMAccountName".

* In the SAML login configuration in Portal, make sure the option to "Enable SAML based group membership" is disabled in the advanced settings. Since you want to use LDAP to manage group membership, you want to make sure Portal is not expecting groups to be passed in the SAML assertion.