ArcGIS Server Web-Tier authentication: Enable editing in ArcGIS Online web maps, Portal web maps, and offline data collection using Collector

Idea created by pfoppe on Jan 21, 2015
    Esri ArcGIS Server (AGS) provides 2 administrative options to configure the authentication tier: web-tier and tokens.  Our agency is striving to run any AGS environments as web-tier authentication so that we can achieve single-sign-on and use standard web authentication (basic, digest, IWA, NTLM, Kerberos, etc).  Unfortunatly the Esri propritary token authentication method is potentially subject to a token hijack attack or a Replay Attack where a malicious 3rd party can use your token to delete or change your content.  Ideally these tokens are tied to a specific client ID (IP address or an"t more complex), but that is only reducing the risk and subject to IP Spoofing and/or HTTP Referrer spoofing.  Tieing the tokens to a clientID is also optional.  Here is a decent article presented at the Esri UC that discusses security a little and dives into tokens.  

    Unfortunatly, we have found some limitations using web-tier authentication (as far as I know they are undocumented).  Specifically - we cannot edit data in an ArcGIS Online web-map or a Portal web-map.  We also have been un-able to take data offline using collector if content is protected using web-tier authentication.  There is an Esri GeoNet thread discussing the issue:

    Specifically, it looks as though the web-map executes a server side call (proxies the request, acts as a broker) to the ArcGIS Server and the web-map server side code does not have an authenticated login that is recongized by our ArcGIS Server deployment.  Here is some information on the proxied request: 
    Request URL:  
    Request Method:POST  
    Status Code:504 Gateway Timeout
    Many of the web-tier authentication schemes do a challenge/response sort of operations where the first request is an annonymous request, the response is an HTTP status code 401 (un-authorized) but also returns a header 'www-authenticate' with the supported authentication methods.  It appears that the map ignores he 'www-authenticate' header and just disables the editing capabilities rather than attempting to obtain the user credentials or use their client browser to attempt single-sign-on (all client side requests).  

    Unfortuanlty this is causing our agency to standup duplicitave environments to support the web-map editing and collector editing workflows.  We have stood up a few select token based servers to get around this limitation and are only allowing the use of those servers for the workflows that do not support web-tier authentication.  

    We are also starting some work with ArcGIS Runtime, but I cannot confirm or deny if this supports web-tier authentication yet.  

    Esri - Please provide full support for web-tier authentication methods in your non ArcGIS Server products.    Also - please update documentataion to reflect limitations when agencies decide to pursue web-tier authentication.  Thank you for the consideration!