Federated authentication for secure services in WebMaps

03-01-2021 02:56 PM
Status: Open
New Contributor II


I create a WebMap in Portal for ArcGIS. I add a secure service hosted on our ArcGIS Online site to the WebMap. I save and share the WebMap with another user in the organisation, who also has access to the secure service hosted on ArcGIS Online.

The user logs in to Portal and opens the WebMap. They are prompted to enter an ArcGIS username and password to access the secure hosted service. The user does not have a username and password to enter as their ArcGIS Online authentication is federated with the organisation's Identity Provider.

Please allow the user to authenticate here with the enterprise IDP.

I could save the credentials with an item in Portal, but I don't want to as this means I have to replicate all groups in both AGOL and Portal. Collaboration is not a possibility for us.



Maybe this will work for you.

Create an AGOL user called "portaluser".

Add the AGOL secure item into an AGOL group that "portaluser" is a member of.

From you portal, add the AGOL item to your portal using the "portaluser" credentials.

Add this portal item to your webmap.


@BillFox thanks for your reply.

Unfortunately this will not work as a wider solution for us as we have 1700 users and around 300 services, each with different security/access requirements. Handing out a single username and password for these would circumvent the security groups that we have put in place, and remove the benefits of federating with an IdP (i.e. not having to manage users!) 


Hi @Jake, so all you users are setup in AGOL, and you don't want to replicate that onto the on premises system because of licensing and administrative burden correct?

So my question is if your Hosted Feature layer is already in AGOL is there a specific reason why you bring the service down to Enterprise since you don't get billed for hosting WebMaps and Apps in AGOL but you do get billed for the Hosted Feature service?

Kind Regards



Hi @HenryLindemann the users have IdP-federated accounts on both. What isn't replicated are the groups and content.

Our Portal is locked down behind the enterprise firewall and contains data which we don't want to expose to the web. We do however want to consume secure services we do choose to host on AGOL within WebMaps in our Portal.

Regardless of our this, I am sure there are other uses for OAuth-based authentication to services, for example when accessing an AGOL REST endpoint, receiving a prompt to login rather than the "invalid token" error would be good. Perhaps this is the better way to frame the idea?