User authentication patterns for customized AGOL/Portal app

EugeneLamnek · ‎10-10-2017

I am looking into creating a customized mapping tool for a client. They would like to use the standard AGOL/Portal app as a starting point and add some of their own custom widgets to carry out various business specific functions (integration with other systems, custom map markup tools etc). I have used WAB Dev. Edition to download a test app and customized some widgets and then have deployed this to an internal test server and all works fine. The test app uses an AGOL map that is shared with everyone - so no AGOL login form appears when entering the locally hosted app.

My question(s) relates to creating a system of user access for this app. My client has a number of ESRI Named User accounts, but they would like to enable access to their application to potentially 50-100 internal users. These users would require access to a number of layers, and be able to edit these layers. I have had some SDE feature classes created within the clients local Portal instance (they have been published via a federated ArcGIS Server - so have named user access to them.) I have worked out how to add these layers to the map when app starts up (using the named user account to authenticate the layers), but this means storing the named user account and potentially allowing multiple users to use the one named user access point (which I think is not in accordance with ESRI licensing).

What are our options here? Does ESRI licensing permit adding (at runtime) layers to a shared map that is shared with everyone? If so can these layers come from an SDE database and be published via ArcGIS Server. What if standard ArcGIS Server authentication is used from a non-federated server? ie. creating users within the ArcGIS Server user management tool which are not named users.

Basically we would like to manage user access to the application, without using the named user system. It appears this is technically possible, but does it comply with licensing?

We have tried to pose this question to out local support but as yet haven't received a clear answer.

XanderBakker · ‎10-11-2017

I don't have all the answers but I can try to answer a few:

You mentioned that you have a web map created in ArcGIS Online which is shared publicly. All the layers that you have on a publicly available web map should be public. It is not allowed to have a web map that consumes services from a local AGS that is not exposed publicly. You can however (as far as I now) add layers on the fly on a Web App that is published on a local web server.
It is not allowed to potentially share a named user across multiple users
I strongly believe that it would be a good thing to use the named users to access the data and share content across groups. The named user system was designed for this.

EugeneLamnek · ‎10-11-2017

Thanks for your comments. Not sure what you mean by your comment:

'You can however (as far as I now) add layers on the fly on a Web App that is published on a local web server.'

By local web server, do you mean a web server on the internet as opposed to having the app running from AGOL/Portal?

And do you mean, you can add layers that require authentication, as long as the map is not publicly shared?

With your second point, I understand sharing named users is not allowed. But (my knowledge is limited on this because I haven't tested it) if you are loading layers from a non-federated ArcGIS Server, they would not need to be authenticated by the named user and so no named user sharing would take place??

Third point, I agree that the named user system would work well, but as the system grows, from what I understand, large costs are involved in having so many named users, many of which may only access the application very infrequently.

XanderBakker · ‎10-11-2017

Hi Eugene Lamnek ,

'You can however (as far as I now) add layers on the fly on a Web App that is published on a local web server.'

By local web server, do you mean a web server on the internet as opposed to having the app running from AGOL/Portal?
And do you mean, you can add layers that require authentication, as long as the map is not publicly shared?

It can be a web server inside your own infrastructure or in the cloud, accessible from outside your organization or only available inside your organization. If you download for instance a template application you can modify it or use for instance Web AppBuilder for ArcGIS (Developer Edition) | ArcGIS for Developers . What you cannot do is configure an application in ArcGIS Online and share it publicly and consume content that is not publicly available. If you create a webmap in ArcGIS Online and share that publicly, it cannot contain services that are only available behind your firewall. If you add those layers on the fly, the web map on ArcGIS Online will not have any layers that are not publicly available.

With your second point, I understand sharing named users is not allowed. But (my knowledge is limited on this because I haven't tested it) if you are loading layers from a non-federated ArcGIS Server, they would not need to be authenticated by the named user and so no named user sharing would take place??

That may be the case, but if you are going to implement ArcGIS Enterprise, the base deployment (Server, Portal, DataStore and WebAdaptor) will require Federation between the ArcGIS Server and Portal. I think I read this in the slide notes from the presentation on Architecting Your Deployment: See video here: ArcGIS Enterprise: Architecting Your Deployment - YouTube

I will CC Philip Heede hopefully he can clarify this for you.

There is also a great document that might be interesting to read (updated last month): https://www.esri.com/~/media/Files/Pdfs/products/arcgis-platform/architecting-the-arcgis-platform.pd...

Third point, I agree that the named user system would work well, but as the system grows, from what I understand, large costs are involved in having so many named users, many of which may only access the application very infrequently

From "architecting-the-arcgis-platform.pdf ": An ArcGIS Identity is managed as a named user credential within the platform. This credential is used to sign into any app, on any device, at any time, and to provide access to all maps, apps, data, and analysis a particular user is entitled to. As users sign into the ArcGIS platform with their named user credentials, their identity gives them access to authoritative data, GIS capabilities, shared content, apps, and their saved maps and items. The named user model allows an organization to securely and appropriately extend the reach of its geospatial capabilities to everyone who needs them.

So by implementing the named user model, you avoid developing some access to data and applications and you probably miss out on some really good stuff. There are two levels of named users. As far as I understand from your explanation, you will have many users that will simply use the application but not create any content. Those users can use a named user of level 1 which is about 1/5th of a level 2 named user.

EugeneLamnek · ‎10-12-2017

Thanks, I will look at the video and the pdf.

In our case all users will need to edit, but some of them will only edit infrequently, so level 1 may not be suitable.

Also, another reason for us looking at other authentication methods is we want to provide integration with a non-spatial web application that operates within the clients organization. By integration, I mean things like: user clicks on a spatial feature on the map, which triggers a call to a web service that goes off and finds matching records from the non spatial application based on spatial ID of the feature and returns the matching record(s) which then gets displayed in a custom widget. The existing non-spatial app has its own system of user, roles, groups etc. so we were hoping to be able to use this for the hosted web app, rather than maintaining two systems of users (one owned by non-spatial app and the other being Named Users).