How to connect to my Portal when our security is ADFS?

DirkVandervoort · ‎03-09-2017

Our Portal uses ADFS as our security model. In my Jupyter notebook, when if try to create a GIS:

gis = GIS("https://webadaptor.mydomain.com/portal", "my.username@mydomain.com", "mypassword")

I am informed that I cannot obtain a token:

Unable to generate token. Invalid username or password

With an extensive traceback and the bottom line of:

RuntimeError: Unable to generate token. Invalid username or password. (Error Code: 400)

The questions I have are:

Can we use our ADFS security to create a GIS in the API?
If yes, how do I do this?

TIA

--Dirk

RohitSingh2 · ‎03-20-2017

Hi Dirk,

Are you using SAML with ADFS as your identity provider? SAML is an interactive workflow that's not yet supported with the ArcGIS API for Python. We are adding support for SAML and OAuth2 in the upcoming release though and this feature is in QA currently.

If you're using [LDAP or Active Directory configured with Portal tier authentication](Use your portal with LDAP or Active Directory and portal-tier authentication—Portal for ArcGIS (10.5... ), you can use the Python API as this is supported with v1.0 and above using the GIS(url, username, password) API.

[Integrated Windows Authentication](Use Integrated Windows Authentication with your portal—Portal for ArcGIS (10.5) | ArcGIS Enterprise) is also supported using GIS(url) API - the username and password arent passed when using IWA and the current user's credentials are picked up by the script/API.

Thanks,

Rohit

View solution in original post

DirkVandervoort · ‎03-20-2017

Shameless bump - I'm still trying to figure this out. TIA

RohitSingh2 · ‎03-20-2017

Hi Dirk,

Are you using SAML with ADFS as your identity provider? SAML is an interactive workflow that's not yet supported with the ArcGIS API for Python. We are adding support for SAML and OAuth2 in the upcoming release though and this feature is in QA currently.

If you're using [LDAP or Active Directory configured with Portal tier authentication](Use your portal with LDAP or Active Directory and portal-tier authentication—Portal for ArcGIS (10.5... ), you can use the Python API as this is supported with v1.0 and above using the GIS(url, username, password) API.

[Integrated Windows Authentication](Use Integrated Windows Authentication with your portal—Portal for ArcGIS (10.5) | ArcGIS Enterprise) is also supported using GIS(url) API - the username and password arent passed when using IWA and the current user's credentials are picked up by the script/API.

Thanks,

Rohit

DirkVandervoort · ‎03-20-2017

Thanks Rohit, that's what I figured but was no certain. We are using ADFS and SAML, although we have retained one ArcGIS Portal named user account for administrative purposes. For business reasons we want all our uses to access Portal content via their ADFS SAML security. We are looking forward to your support of ADFS SAML. Thank you for your reply!

--Dirk

PF1 · ‎06-21-2017

This has been a challenge for our organization for the past few years as well. We finally put together an authentication handler that works with the python requests API which supports the esri proprietary "token authentication", web-tier using Kerberos (or ntlm) and SAML with enterprise logins.

Code repo is on git hub GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and P... in case you find it valuable for your efforts. The saml piece was developed specifically to work with our saml provider (which supports Kerberos authentication), but the overall process for authentication to the identity provider (SAML) with handing the saml code back to the portal to acquire an access and refresh token is technically feasible.

Best of luck.