Connecting ArcGIS Online

Using the OAuth 2.0 protocol, the Identity Service can delegate the authentication of users to ArcGIS Online. This means that a user can log in with an ArcGIS Online account.

Connecting to ArcGIS Online is done in several steps:
First you register the Identity Service as an application in ArcGIS Online. Then you adjust the configuration of the Identity Service so that the login can be delegated to ArcGIS Online. Finally you check the configuration using the Identity Service to log in to ArcGIS Online.

Step 1: Register Identity Service

The Identity Service must be registered as an application in ArcGIS Online to use the single sign-on. To do this, perform the following steps:

Login to ArcGIS Online.
Switch to the Content tab.
Click New item and in the subsequent dialog click Application.
A dialog for creating the new element is displayed. Use the following settings there:
- Type: Web Mapping.
- URL: URL of the Identity Service installation, for example https://www.example.com/identity
Click Next.
Now set the other properties of the element as follows:
- Title: Identity Service
- Folder: Select the folder where you want to save the item.
- Categories (optional): You can set one or more categories for the element.
- Tags: identity
- Summary (optional): You can create a summary for the element, for example: Registration of Identity Service at ArcGIS Online
Click Save. The overview of the newly created element is displayed.
Set additional registration properties by proceeding as follows:
- In the app overview click Settings and go to section Web Mapping Application.
- Click Register application.
- Specify the URL of your Identity Service installation as the Redirect URLs, for example https://www.example.com/identity.
- Click Add to add the URI to the list of valid redirect URIs.
- Select Browser as application environment.
- Click Register to close the dialog.
After you have successfully registered the application, its registration data will be displayed, which you will need for the subsequent configuration:
- Store the displayed Client ID somewhere.
- Click on the button with the eye icon to display the Client Secret. You need to remember this one as well.

The registration is complete and you can proceed with the configuration of the Identity Service.

Step 2: Configure Identity Service

The following parameters must be added or changed in the global Configuration.

Configuration example

# .identity-service/application.properties
security.oauth.provider=arcgis
security.oauth.provider.arcgis.url=https://myorganization.maps.arcgis.com
security.oauth.clientId=6nyEFYqYSYtu60Ws
security.oauth.clientSecret=fb3e3425976e4980a1793cbe6231f4b6

security.oauth.provider: The value arcgis defines ArcGIS Online as identity provider.
security.oauth.provider.arcgis.url: URL of your ArcGIS Online organization.
security.oauth.clientId: Client ID that has been created during the registration as an application in ArcGIS Online.
security.oauth.clientSecret: Client Secret that has been created during the registration as an application in ArcGIS Online.

Allow logins for multiple organizations

To allow logins to users of more than one organization, please set security.oauth.provider.arcgis.url to https://www.arcgis.com and additionally configure the parameter security.oauth.provider.arcgis.organizations as described in the following example:

Configuration example

# .identity-service/application.properties
security.oauth.provider.arcgis.url=https://www.arcgis.com
security.oauth.provider.arcgis.organizations=myorganization.maps.arcgis.com,otherorg.maps.arcgis.com

List all organizations separated by commas.

Role assignment

In the product map.apps, only users assigned to the 'maAdmin' role can access the map.apps Manager. To make this possible the ArcGIS Online roles or groups need to be mapped to internal roles.

This mapping of ArcGIS Online roles or groups to internal roles can be customized using the configuration option security.oauth.provider.arcgis.roles.

ArcGIS Online roles

The role to which a user is assigned in ArcGIS Online is translated as follows:

ArcGIS Online role internal roles Description

ArcGIS Online role	internal roles	Description
`org_admin`	`maAdmin, solrAdmin, mon_Administrator, tc_Administrator`	ArcGIS Online administrators become map.apps, service.monitor, smart.finder and smart.finder SDI administrators.
`org_publisher`	`maEditor`	ArcGIS Online publishers become map.apps editors.
`roleX`	`roleX`	All other roles are adopted from ArcGIS Online without changes.

org_admin

maAdmin, solrAdmin, mon_Administrator, tc_Administrator

ArcGIS Online administrators become map.apps, service.monitor, smart.finder and smart.finder SDI administrators.

org_publisher

maEditor

ArcGIS Online publishers become map.apps editors.

roleX

All other roles are adopted from ArcGIS Online without changes.

If the ArcGIS Online access belongs to an organization, the domain name of the organization is registered as an internal role.

Example: myorganization.maps.arcgis.com

ArcGIS Online groups

The groups a person belongs to in ArcGIS Online are also translated into internal roles. Since multiple people can create ArcGIS Online groups with the same title, a group is translated into a internal role of the form <title>::<owner>.

ArcGIS Online group internal role

ArcGIS Online group	internal role
`Forest` (Owner: `user1`)	`Forest::user1`
`Water` (Owner: `user2`)	`Water::user2`

Forest (Owner: user1)

Forest::user1

Water (Owner: user2)

Water::user2

Step 3: Test configuration

You can test the configuration of ArcGIS Online as identity provider by performing a login initiated by the Identity Service. Follow these steps:

Make sure you have an ArcGIS Online user account
If you are logged in to ArcGIS Online, log out.
Open the Identity Service base URL, http://www.example.com/identity or http://www.example.com:8080/identity, for example. Make sure to use the exact same URL that you specified as Redirect URI when registering the Identity Service at ArcGIS Online in step 1 of this document.

The browser displays a page with a list of available service endpoints:
Click the link titled Login. The browser will redirect you to the ArcGIS Online login page.
Enter username and password of your ArcGIS Online account to login.

After successful login you are redirected to the Identity Service "Self" endpoint (/identity/account/self). If your ArcGIS Online account data is displayed as JSON, you successfully connected ArcGIS Online with the Identity Service.

Next steps

After you have connected ArcGIS Online with the Identity Service, you need to configure the services of your ArcGIS Online organization as trusted services in the Identity Service. This allows users of applications that use the Identity Service to access services of your organization without further login.