ArcGIS Server Web-Tier authentication: Enable editing in ArcGIS Online web maps, Portal web maps, and offline data collection using Collector

Idea created by pfoppe on Jan 21, 2015
    Implemented
    Score230
    Esri ArcGIS Server (AGS) provides 2 administrative options to configure the authentication tier: web-tier and tokens.  Our agency is striving to run any AGS environments as web-tier authentication so that we can achieve single-sign-on and use standard web authentication (basic, digest, IWA, NTLM, Kerberos, etc).  Unfortunatly the Esri propritary token authentication method is potentially subject to a token hijack attack or a Replay Attack where a malicious 3rd party can use your token to delete or change your content.  Ideally these tokens are tied to a specific client ID (IP address or an https://www.owasp.org/index.php/Trusting_self-reported_IP_address"t more complex), but that is only reducing the risk and subject to IP Spoofing and/or HTTP Referrer spoofing.  Tieing the tokens to a clientID is also optional.  Here is a decent article presented at the Esri UC that discusses security a little and dives into tokens.  

    Unfortunatly, we have found some limitations using web-tier authentication (as far as I know they are undocumented).  Specifically - we cannot edit data in an ArcGIS Online web-map or a Portal web-map.  We also have been un-able to take data offline using collector if content is protected using web-tier authentication.  There is an Esri GeoNet thread discussing the issue: https://geonet.esri.com/thread/94955

    Specifically, it looks as though the web-map executes a server side call (proxies the request, acts as a broker) to the ArcGIS Server and the web-map server side code does not have an authenticated login that is recongized by our ArcGIS Server deployment.  Here is some information on the proxied request: 
    Request URL:https://www.arcgis.com/sharing/proxy?https://www.myserver.com/arcgisauth/rest/services/FeatureServices/MyService/FeatureServer/0?f=json  
    Request Method:POST  
    Status Code:504 Gateway Timeout
    Many of the web-tier authentication schemes do a challenge/response sort of operations where the first request is an annonymous request, the response is an HTTP status code 401 (un-authorized) but also returns a header 'www-authenticate' with the supported authentication methods.  It appears that the arcgis.com map ignores he 'www-authenticate' header and just disables the editing capabilities rather than attempting to obtain the user credentials or use their client browser to attempt single-sign-on (all client side requests).  

    Unfortuanlty this is causing our agency to standup duplicitave environments to support the web-map editing and collector editing workflows.  We have stood up a few select token based servers to get around this limitation and are only allowing the use of those servers for the workflows that do not support web-tier authentication.  

    We are also starting some work with ArcGIS Runtime, but I cannot confirm or deny if this supports web-tier authentication yet.  

    Esri - Please provide full support for web-tier authentication methods in your non ArcGIS Server products.    Also - please update documentataion to reflect limitations when agencies decide to pursue web-tier authentication.  Thank you for the consideration!