Select to view content in your preferred language

Allow ArcGIS Server Federation with ArcGIS Online

6007
6
06-01-2016 06:46 AM
Status: Open
PF1
by
Frequent Contributor

Please consider allowing ArcGIS for Server federation with ArcGIS Online.  We have many on-premise ArcGIS Server deployments using either 'token' based authentication or 'web-tier' (Microsoft Integrated Windows Authentication).  For publicly hosted 'secured' content we are striving to shift towards the use of enterprise logins with SAML to tie in our corporate identity stores and solve Two Factor Authentication (TFA).  Currently, the only way to integrate with SAML on an ArcGIS Server is to federate it with a "Portal for ArcGIS" product (on-premise ArcGIS Online).  While technically that is feasible, we are struggling managing two public portals: one for cloud hosted content (ArcGIS Online) and one for on-premise hosted content (ArcGIS Server).  We would like to expose our on-premise content to our ArcGIS Online portal (via server federation) so that we can use only 1 portal and meet requirements to integrate with SAML.  The user experience switching between portals (from ArcGIS Desktop and Collector for ArcGIS) are not intuitive to end users.  Thanks!

6 Comments
BillFox

Good idea,

As of now I think you can do a hybrid with a public facing ArcGIS Server in the DMZ.

  • secure the publishing folder with built-in user name/password
  • share the secure service of your on premise enterprise geodatabase feature class to AGOL and use option to save user name/password with the service
  • SAML AGOL to your AD
  • add AD users to AGOL, groups, etc.
  • but editor tracking from AGOL will probably post the built-in user instead of the SAML one
  • on premise portal would post the correct AD user

-Bill

MikeDahm

Are there any updates on this?  We have several municipal clients that use ArcGIS Server and ArcGIS Online and saving the credentials to Online makes all edits show as the saved credentials.  They are smaller municipalities that rely on us for their GIS needs.  Adding Portal to their deployments just isn't feasible right now.  Having users login multiple times (once to AGOL and once to the layers) would be a real pain for field crews and less technical personnel.  It also becomes a problem with users needing to remember 2 different accounts and passwords.  Being able to properly utilize editor tracking from their SQL database and ArcGIS Server through ArcGIS Online would be a huge help.

SzymonPiskula1

What if you registered some of Server services in AGOL storing the credentials? They would then only have to log in to AGOL. Credentials would be stored in the item once registered:

ArcGIS Server web services—ArcGIS Online Help | ArcGIS 

MikeDahm

That is the process we currently use but the editor tracking then uses whatever saved credentials for that services for all creation and last edited by.  You can't tell who was logged into ArcGIS Online to do the edits.  So if you have 5 users that are setup through ArcGIS Online to access a feature layer that has stored credentials all of their edits will show the stored credentials as the editor or creator of features.

by Anonymous User

OK silly question here. I'm trying to set up Portal and slowly get in to Pro.

It appears if I enable licenses for Pro for our Portal, that if I for example take my laptop out of the building to another network, it won't work. Now, I could go into the manager and re-license to AGOL. But that's hassle and also some users don't have ability to do that themselves.  Is the idea of this thread to allow for one credential, which would work for both simultaneously?    That would be good. Until then I think a lot of large entities will hit this roadblock and simply wait on Pro for this to be implemented. This is one of those things where at first I was just hoping I wasn't understanding it right but I think it is designed this way currently. This mirrors the issue of publishing directly to Server from Pro in that it's an important design concept and issue.

Kevin_MacLeod

2024 - same question still.  We embed services with saved creds in AGOL but I want editor tracking to "just work". I understand some orgs would be cautious about tying together two systems but some folks will happily do that in order to simplify things for field users. Plus federation is a common security pattern and Esri already works with the right partners like Okta, Microsoft (AD) etc to make it happen securely. Would be great. 

However, we need to operationalize editor tracking near term.  I am thinking we will migrate all our content to Portal.  Portal users authenticated via AD wil show their username as the Editor in editor tracking, right? Even if data is in a SQL Server SDE?  We have 10.9 but are going to go to 11.3.

As an incentive for this Idea, Esri would generate data storage credits if they implement AGOL->Server/Portal federation for those who save content on AGOL but are considering migrating it to Portal on prem, to be able to leverage editor tracking.