We had started exploring ways to teach with ArcGIS Pro back in April 2016 and quickly realized that named user licensing would be a major administrative barrier to adopting the software. For a one-off workshop we taught, it was fine manually provisioning thirty student users, but we didn’t think that would be scalable to 5+ classes each semester, especially when not having access at the start of the semester could be really disruptive to students.
After listening to a lot of the great dialogue on the Esri higher education list serve we were able to get things up and running using a two-step approach:
1. Setting Up Enterprise Log-Ins for ArcGIS Online
This was mostly handled by the systems department in our IT organization. SFSU uses Shibboleth for a variety of other single sign on applications (Zoom, Box, etc.), so it was fairly straight forward to ask around and see who had set those up and see if they were willing to do the same for ArcGIS Online. We did have to wait until our campus updated to version 3.X of Shibboleth, as ArcGIS Online won’t permit enterprise log ins with version 2.X.
There were the three most helpful pieces of documentation that we were able to forward along to our IT Systems Administrator:
· General information about enterprise logins with ArcGIS Online: https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm
· Configuring Shibboleth for enterprise logins in ArcGIS Online: https://doc.arcgis.com/en/arcgis-online/reference/configure-shibboleth.htm
· General information about security settings in ArcGIS Online: https://doc.arcgis.com/en/arcgis-online/administer/configure-security.htm
When logged in as an administrator to our ArcGIS Online organization, we simply went to My Organization >> Edit Settings >> Security >> Set Identity Provider and entered identity store provider information and a metadata file supplied by our IT department.
We were able to get the service provider metadata by going to My Organization >> Edit Settings >> Security >> Get Service Provider. We sent this over to the IT department who configured for use with Shibboleth and uploaded it their development server. After a few days it was pushed to their production server and we had enterprise access to ArcGIS Online and associated apps like Collector and Business Analyst Online.
2. Automatically providing ArcGIS Pro licenses to all users in our ArcGIS Online organization
Thanks to Nathan Strout’s (U. of Redlands) work creating administrative python tools, we were able to automate the process of assigning ArcGIS Pro licenses to all users in our organization. We simply went to github and downloaded their entire ArcGIS Online tools repository https://github.com/URSpatial/ago-tools. We then modified lines 6 and 7of the script “… \AGOL Administration Scripts\ago-tools-master\ago-tools-master\samples\updateUserEntitlements.py" to enter username and password credentials for a headless administrative account set up expressly for this purpose. This script assigns ArcGIS Pro Advanced + 7 extension licenses for all users in the organization. We then made a batch file on one of our virtual servers (which as a backup power source in the event of an outage) to run this script every 5 minutes.
Our current number of ArcGIS Pro seats stands at 1,000, which we believe will be adequate for the next couple of semesters. Under the new Esri education model we understand that the number of ArcGIS Pro licenses made available to higher ed customers to meet the need.
For planning purposes, it took us around four days to complete step 1 once the IT team was on board. This included time for the IT department to read through the documentation on enterprise log ins, time for the ArcGIS Online administrator to configure the identity provider in ArcGIS Online, time for the IT department to configure the service provider metadata in the SAML and load it onto a development server, time to push the changes in the development server to the production server, and time to test to make sure the process worked. Once we were set up with enterprise log ins, automating granting ArcGIS Pro licenses with Nathan’s script took only around an hour to figure out!
We do have some lingering administrative issues to figure out—mainly how to flag accounts that belong to folks who are no longer affiliated with the university. While our old method of setting up things manually without enterprise account was time consuming it did have the benefit of permitting us to put accounts into meaningful groups so we could identify when users were no longer active. Another issue we’ll need to address down the line is how to transfer user content so students can take it with them when leaving. We hope to continue to use the Esri HigherEd listserv as a resource.
Throughout the course of setting things up we did run into one fairly major bug—for ArcGIS Pro to receive a license from ArcGIS Online your enterprise id must be text-based, not numeric! Our identity provider used university id numbers by default, which resulted in a failure to download the license successfully (you can read more on that here: https://geonet.esri.com/thread/182651-arcgis-pro-not-able-to-download-licenses-from-licensing-portal). Update as of 11/4/2016: With the release of the latest patch (ArcGIS Pro v. 1.3.1) this issue now seems to be resolved and licenses are being properly passed along to our numeric enterprise logins! Update as of 12/5/2016: It turns out it's now only working intermittently (~60% of the time) and that while fixing #BUG-000099323 is in the product plan, there's no time estimate for when this will be resolved. Update as of 1/30/2017: Given the lack of a concrete timeline on when the ArcGIS Pro bug was going to be fixed, and concerns about it being ready in time to teach with, we decided to pass along an id that included text from our identity store provider rather than passing along numbers alone. While our workaround results in an ugly username (a 9-digit id number followed by @sfsu.edu), we are pleased that it works with ArcGIS Pro and is not changeable, unlike email address prefixes, which is what we originally thought to go with.