Does Portal inherit AD configured membership groups and will users be added to these groups upon login to Portal with their Enterprise Login?


Portal for ArcGIS may be configured for Enterprise logins (eg SAML/Active Directory).   An organisation may require their Portal content to be managed based on Active Directory Group membership.  The below answers the question “Does Portal automatically create groups to match Active Directory Groups and will users automatically be added to these groups when first logging in to Portal using their Enterprise Logins?”

The answer is yes, we simply need to configure portal groups and bind them to  the active directory group using the below steps.

Does Portal inherit Active Directory Configured Membership groups?
 
Portal for ArcGIS does not automatically create groups to match what is available in Active Directory.  The GIS Administrator will need to create and configure groups in Portal for ArcGIS for each of the Active Directory Groups that they want to allow membership of.
 
How to configure Portal to enable Enterprise Group Membership

User will need to Manually create the Portal Groups then bind them to the Active Directory Group

First, configure the organisation  SAML settings to enable SAML based Group Membership. This may be done via Organisations > Settings > Security >  Logins > Configure > Advanced Settings



You will then have the ability to create Portal groups with the setting “Enable SAML based group membership”


Here is where you will need to configure the enterprise group name.  This name may not be a recognisable name, it may be a group ID or SID.  Members will only be added to the group once they have logged in and if there is a group in the SAML assertion response which matches the enterprise group name.  



Can SAML/Active Directory users be automatically added to configured Enterprise groups when signing into Portal?
 
Yes.  Once you have configured the Portal Groups and associated them with their respective Active Directory  groups you do not need to manage membership of those groups within Portal.  When a user logs in with  their enterprise account, the groups to which they are members in Active Directory is returned in the SAML response and ArcGIS reflects that by allowing the user membership to the matching groups you have defined. 

Relevant resources

Use your portal with LDAP or Active Directory and portal-tier authentication https://enterprise.arcgis.com/en/portal/latest/administer/windows/use-your-portal-with-ldap-and-portal-tier-authentication.htm

Link enterprise groups from an IDP https://enterprise.arcgis.com/en/portal/latest/administer/windows/create-groups.htm#ESRI_SECTION1_5E3FFFAA1B7E443FBB1E483E070B1979

Got something to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s