Community

Issues with receiving ArcGIS Pro licenses when transferring from IWA to SAML authentication

154
0
3 weeks ago
Jelle_Stu_PR
by
Occasional Contributor II
3 weeks ago

We are preparing an authentication migration from Integrated Windows Authentication (IWA) to SAML login through Portal. The  new SAML authentication to portal works fine. The issue lies when trying to retrieve ArcGIS Pro Named User licenses, once moved to SAML authentication. Our ArcGIS Pro Named User licenses are through ArcGIS Enterprise using our portal URL as licensing URL. 

The issue is that once Portal uses the SAML login, ArcGIS Pro still uses the IWA anthentication to succesfully retrieve an ArcGIS Pro license. It seems that the license is still stored in the key registries. 

We have found a solution by removing some key registries as explained here: Perform an ArcGIS Pro soft reset. More specifically, we have narrowed it down by only changing the following 2 yellow keys (black lines are names/tokens of/for our portal) :

- Changed the 'Authetication' file from 0 to 2
- Deleted the 'AutoSignIn' file

Jelle_Stu_PR_0-1715200423733.png

After changing these 2 keys, the ArcGIS Pro license follows the SAML authentication procedure correctly. The advantage of only changing these 2 specific keys is that the user does not need to setup the license URL again. This is something which users needs to do if the whole ArcGIS Online For Pro\SignIn folder is deleted in the key registry (as suggested in the ArcGIS Pro soft reset procedure). 

Changing registry keys is, however, not something which we desire to do for our hundreds of users. This because users will need to run a .bat file that will execute these changes. Pushing this through the IT department is tricky because the registries won't be changed all at the same time (or maybe not at all), while SAML will be introduced with just one click for everyone.

Things we have tested to ensure a ArcGIS Pro license is directly retrieved through SAML after the authentication migration:

- Deleted all the cache folders of the different browsers
- Reconfigured our license files in our Portal.
- Changed the IWA portal usernames to the new SAML Portal usernames before trying the SAML authentication for Pro. We had hope this would work because the Portal username no longer would exist anymore and therefore hoping it woud enforce to sign in again.
- Temporarily changed the license type from Concurrent use and then back to Named User again. This in fact introduced another error. Now, it was no longer possible to receive a license through IWA, but it didn't get it though SAML either. 

Also good to mention that this issue also occurs the other way around: transferring from a license through SAML back to IWA: license remains in place according to a SAML authentication. 

We already got in touch with our ESRI support. Their suggestions (named above) all did not procide a good solution. Therefore, I am asking 3 questions here:

1. Does anyone know why the ArcGIS Pro license through IWA remains in place while Portal is already over to SAML? Why do the key registries remain looking to the IWA settings? 

2. If we ask the users to run a .bat file to change the key regisries, we do not have the control whether the users will execute it. Does anybody konw how long the IWA setting will remain in place before ArcGIS Pro will ask to login again? 

3. Does anyone know another way how we can force ArcGIS Pro to directly look at SAML authentication without asking the users to do anything else?

Thanks and looking forward on hearing your ideas!

best
Jelle Stuurman

0 Kudos
0 Replies