Federated authentication for secure services in WebMaps

Anonymous User

Scenario:

I create a WebMap in Portal for ArcGIS. I add a secure service hosted on our ArcGIS Online site to the WebMap. I save and share the WebMap with another user in the organisation, who also has access to the secure service hosted on ArcGIS Online.

The user logs in to Portal and opens the WebMap. They are prompted to enter an ArcGIS username and password to access the secure hosted service. The user does not have a username and password to enter as their ArcGIS Online authentication is federated with the organisation's Identity Provider.

Please allow the user to authenticate here with the enterprise IDP.

I could save the credentials with an item in Portal, but I don't want to as this means I have to replicate all groups in both AGOL and Portal. Collaboration is not a possibility for us.

BillFox · ‎03-01-2021

Maybe this will work for you.

Create an AGOL user called "portaluser".

Add the AGOL secure item into an AGOL group that "portaluser" is a member of.

From you portal, add the AGOL item to your portal using the "portaluser" credentials.

Add this portal item to your webmap.

Anonymous User · ‎03-01-2021

@BillFox thanks for your reply.

Unfortunately this will not work as a wider solution for us as we have 1700 users and around 300 services, each with different security/access requirements. Handing out a single username and password for these would circumvent the security groups that we have put in place, and remove the benefits of federating with an IdP (i.e. not having to manage users!)

HenryLindemann · ‎03-01-2021

Hi @Anonymous User, so all you users are setup in AGOL, and you don't want to replicate that onto the on premises system because of licensing and administrative burden correct?

So my question is if your Hosted Feature layer is already in AGOL is there a specific reason why you bring the service down to Enterprise since you don't get billed for hosting WebMaps and Apps in AGOL but you do get billed for the Hosted Feature service?

Kind Regards

Henry

Anonymous User · ‎03-02-2021

Hi @HenryLindemann the users have IdP-federated accounts on both. What isn't replicated are the groups and content.

Our Portal is locked down behind the enterprise firewall and contains data which we don't want to expose to the web. We do however want to consume secure services we do choose to host on AGOL within WebMaps in our Portal.

Regardless of our this, I am sure there are other uses for OAuth-based authentication to services, for example when accessing an AGOL REST endpoint, receiving a prompt to login rather than the "invalid token" error would be good. Perhaps this is the better way to frame the idea?

Thanks

Jake

FrancisHourigan1 · ‎01-07-2022

I would think it would be an easy fix for Esri to allow you to save credentials in a distributed collaboration so that you can share AGOL layers with Enterprise users and not be prompted for credentials. This is already done in the portal site settings for accessing Living Atlas content, so why not have the same thing for your own hosted content?

TracySArchibald · ‎02-01-2022

We also want to be able to enter ActiveDirctory creds on these challenge screens. We have a third party vendor that is using some secured layers and it usually works, but sometimes it presents a challenge screen.

ALLLLL our users are set up in Portal as AD users. and none can enter their creds in these challenge screens.