Please consider allowing ArcGIS for Server federation with ArcGIS Online. We have many on-premise ArcGIS Server deployments using either 'token' based authentication or 'web-tier' (Microsoft Integrated Windows Authentication). For publicly hosted 'secured' content we are striving to shift towards the use of enterprise logins with SAML to tie in our corporate identity stores and solve Two Factor Authentication (TFA). Currently, the only way to integrate with SAML on an ArcGIS Server is to federate it with a "Portal for ArcGIS" product (on-premise ArcGIS Online). While technically that is feasible, we are struggling managing two public portals: one for cloud hosted content (ArcGIS Online) and one for on-premise hosted content (ArcGIS Server). We would like to expose our on-premise content to our ArcGIS Online portal (via server federation) so that we can use only 1 portal and meet requirements to integrate with SAML. The user experience switching between portals (from ArcGIS Desktop and Collector for ArcGIS) are not intuitive to end users. Thanks!
Good idea,
As of now I think you can do a hybrid with a public facing ArcGIS Server in the DMZ.
-Bill
Are there any updates on this? We have several municipal clients that use ArcGIS Server and ArcGIS Online and saving the credentials to Online makes all edits show as the saved credentials. They are smaller municipalities that rely on us for their GIS needs. Adding Portal to their deployments just isn't feasible right now. Having users login multiple times (once to AGOL and once to the layers) would be a real pain for field crews and less technical personnel. It also becomes a problem with users needing to remember 2 different accounts and passwords. Being able to properly utilize editor tracking from their SQL database and ArcGIS Server through ArcGIS Online would be a huge help.
What if you registered some of Server services in AGOL storing the credentials? They would then only have to log in to AGOL. Credentials would be stored in the item once registered:
That is the process we currently use but the editor tracking then uses whatever saved credentials for that services for all creation and last edited by. You can't tell who was logged into ArcGIS Online to do the edits. So if you have 5 users that are setup through ArcGIS Online to access a feature layer that has stored credentials all of their edits will show the stored credentials as the editor or creator of features.
OK silly question here. I'm trying to set up Portal and slowly get in to Pro.
It appears if I enable licenses for Pro for our Portal, that if I for example take my laptop out of the building to another network, it won't work. Now, I could go into the manager and re-license to AGOL. But that's hassle and also some users don't have ability to do that themselves. Is the idea of this thread to allow for one credential, which would work for both simultaneously? That would be good. Until then I think a lot of large entities will hit this roadblock and simply wait on Pro for this to be implemented. This is one of those things where at first I was just hoping I wasn't understanding it right but I think it is designed this way currently. This mirrors the issue of publishing directly to Server from Pro in that it's an important design concept and issue.
2024 - same question still. We embed services with saved creds in AGOL but I want editor tracking to "just work". I understand some orgs would be cautious about tying together two systems but some folks will happily do that in order to simplify things for field users. Plus federation is a common security pattern and Esri already works with the right partners like Okta, Microsoft (AD) etc to make it happen securely. Would be great.
However, we need to operationalize editor tracking near term. I am thinking we will migrate all our content to Portal. Portal users authenticated via AD wil show their username as the Editor in editor tracking, right? Even if data is in a SQL Server SDE? We have 10.9 but are going to go to 11.3.
As an incentive for this Idea, Esri would generate data storage credits if they implement AGOL->Server/Portal federation for those who save content on AGOL but are considering migrating it to Portal on prem, to be able to leverage editor tracking.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.