Single sign-on offers great benefits for schools using ArcGIS Online (AGO) and other SAAS products. Today, one limit of SSO is that the SAML implementation offers an efficient but subset of features one might need in order to effectively manage a large user base.
For example, I was approached by a large K12 educational entity (greater than 10k) that wanted to implement SSO for user account creation and authentication. However, they also wanted teachers to have publisher roles and students to have user roles. The current enterprise login system in ArcGIS Online casts everyone into one role. Enter Python!
Begin by setting up your workstation or server, ideally one with the capacity to schedule tasks (Cron, Windows Task Scheduler, OSX launchd or iCal). When the script is ready, you will need to use a scheduler to run the task repeatedly. This is in part because there is no way to trigger the script on an SSO event in AGO (at least today).
The script is built on a Python stack including: ArcGIS Online API for Python 1.5.1, Python 3.6, and Anaconda 4.4. You can use Jupyter to create the script but is unnecessary for regular or scheduled execution. See API and stack installation details.
The script retrieves all the user accounts in the target organization and then filters out the unnecessary users. In this script, three filters are applied:
1. Ignore accounts without the autogenerated appended organization name (case-sensitive). Check for the appended org subdomain (applied automatically by SSO and other auto-generated username mechanisms). In this case, the pattern we want looks like: tbaker_SchoolDistrictX, where “SchoolDistrictX” is the organization’s subdomain. This doesn’t guarantee the account was created via SSO but can rule out manually created accounts, depending on username policy in the organization.
2. Ignore user accounts more than one week old. This also prevents manual account edits (to accounts over one week old) from being reverted accidentally by the script.
3. Use a regular expressionto sort the usernames into teacher versus student. In this example, student usernames all contained six consecutive digits where teacher accounts did not. Student accounts were filtered out since all new SSO accounts were created at the lower student level (user). When a username without six consecutive digits was found, it was passed through.
Once a user passes all the filters, the “update_role” function is used to upgrade to built-in role, “org_publisher”. This script would need modification if using with a custom role.
Any of the filters can be changed or removed based on organizational need. The regular expression in filter three will most certainly have to be modified by everyone. Many will want to run the script daily or even hourly, requiring a commensurate time change in filter two.
Of course, be sure to comment out the “update_role” function until you have completely tested the script in your environment. I generally inset a print statement in place for feedback during testing. Like most scripts, there’s no “Undo” button.
For initial deployment, I saved the script to a “.py” file and scheduled it to run from a laptop on the corner of my desk however very shortly I’ll deploy to a dedicated Amazon Lightsail Ubuntu server. Enjoy!