When following the steps outlined in this documentation, the users will not have email addresses associated with their account, meaning that they cannot be Administrative Contacts and may see issues when attempting to change organization administrators to an account associated with this SAML IDP.
Esri documentation for setting up other SAML providers include steps for mapping givenName, surName, and mail attributes (examples: NetIQ Access Manager and Okta), but the Google Workspace documentation does not.
The steps to Add a Custom Attribute, fill out that Attribute for the user, and then add the Custom Attribute to the SAML attribute mapping are outlined in the steps below:
Google Admin > Home > Users panel, Manage > More Options > Manage Custom Attributes > Add Custom Attribute.
Category: Email.
Name: Email.
Type: Email.
No. of values: Single Value.
Fill out the Email attribute for the user.
Google Admin > Users > Select user > Expand User Information > Scroll to Email and edit this to include the desired email address.
Add a new attribute in the Attribute Mapping setting of the SAML IDP (same process as Steps 20-21 here).
Select the new Email attribute created above and save changes.
After these steps are complete, ensure that Update profiles on log in is enabled in the ArcGIS Online organization (Organization tab > Settings > Security > Log ins, configure SAML Login > Advanced Settings), and now the email address will be populated in the account settings once users log out and log in back.
The Esri documentation for how to configure a SAML IDP using Google Workspace does not include steps to pass in email addresses to ArcGIS Online, which is crucial when setting up a log in for administrators, even though it is mentioned previously in the documentation that ArcGIS Online supports this.
When following the steps outlined in this documentation, the users will not have email addresses associated with their account, meaning that they cannot be Administrative Contacts and may see issues when attempting to change organization administrators to an account associated with this SAML IDP.
Esri documentation for setting up other SAML providers include steps for mapping givenName, surName, and mail attributes (examples: NetIQ Access Manager and Okta), but the Google Workspace documentation does not.
The steps to Add a Custom Attribute, fill out that Attribute for the user, and then add the Custom Attribute to the SAML attribute mapping are outlined in the steps below:
Create a Custom Attribute:.
Fill out the Email attribute for the user.
Add a new attribute in the Attribute Mapping setting of the SAML IDP (same process as Steps 20-21 here).