Which authentication method should the administrator configure for named users authenticated against a Windows Active Directory user store located on-premises?

The appropriate choice for authenticating named users against a Windows Active Directory user store located on-premises is to configure the portal with a SAML-compliant identity provider. This method leverages Security Assertion Markup Language (SAML), which is designed for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider like the Esri portal.

When using SAML, users can authenticate through Active Directory without needing to provide their credentials multiple times. It enables Single Sign-On (SSO) capabilities, making the user experience more seamless and secure. This is particularly beneficial in environments where users want to access multiple applications or services without needing to log in repeatedly.

In this context, while alternatives such as OAuth 2.0 are valid for scenarios requiring access delegation, and LDAP could be used for direct queries to Active Directory, SAML is specifically aligned with enterprise authentication practices that involve federated identity management. It streamlines user access and integrates well with existing Active Directory setups, making it suitable for the "named users" scenario mentioned in the question.

Using basic authentication with a username and password is generally less secure, especially when compared to SAML, as it can expose user credentials if not implemented securely.