Has anyone experienced and figured out how to overcome the double log-on when your collector app is accessing secured layers from your ArcGIS Server rest endpoints?
We have an collector web map that is pulling from secured services. When our user logs onto Collector, they do so with their federated logon. No issues there and works as expected. When they launch their map however, it asks them for domain user name and password again to access the layers.
I suspect a setting is not set right and isn't passing the credential back to IIS as I think it should, but I can't put my finger on which one.
Anyone have and idea of where I should start looking?
Looking to avoid having someone inadvertently pass their credentials in an unsecure fashion.
I'm guessing you are using ArcGIS Online and not Portal?
If yes, that's known and expected behavior. Despite all my efforts and annoyances with this falling short of an enterprise and true SSO user experience for the time being there is no solution from ESRI.
In theory it is possible to get this to work using the ArcGIS Online with the "Trusted Servers" configuration and passing users through IIS with your ArcServers configured for Web Tier authentication. While I could get this to work from an authentication stance the performance is so awful the maps are unusable. Been a year + now but from what I recall there is even a note inside the ESRI docs that speaks to this as a known issue inside one of their "Note" boxes.
It means, if you need something that works and maintains performance, for now, the only usable option for authentication tier is using ArcServer. Just have to accept that users will need to first login to AGOL, establishing credentials there, and then login to your backend environment, establishing credentials with your servers. All for rallying the cause on this one as I know others have struggled with it for a while and the easy break is to shift everything to Portal but it seems like their should be an easy way for ESRI to build into their Web Adaptor apps or a new .NET app or something that could accept a package or cookie from AGOL handling authentication separate from the individual services and maintaining performance.
Yes, I was referring to the big brother Portal, ArcGIS Online, not the little brother. Pretty much what I expected for a myriad of reasons, but was double checking in case I missed something as many of us invariably do during the configuration process. There's always a checkbox or a True/False flag missed.
Sounds like you and I had similar logic going on there with regards to work around. I opted to not to try to go down those paths before asking the question. I suspect that this will not change in the short term.
Thank you for your response and it was very helpful. So...chalk up a win today in the "I'm NOT Going Crazy Column".