Allow AGOL access to a secured Enterprise Portal service using web-tier authentication

LanceCole · ‎05-19-2023

We recently upgraded our enterprise deployment to 11.1 and as part of that process, we federated our ArcGIS server site with the portal. This allows us to utilize integrated Windows authentication (IWA) on our enterprise systems.

Everything is working great with single sign-on (SSO) working seamlessly on our network when our portal is configured for web-tier authentication. However, we can no longer access secure services from ArcGIS Online (AGOL). AGOL does not give the option to save the credentials when adding a new URL-based item from our secure portal.

If we switch our Portal to portal-tier authentication the option to store credentials with a service item appears and we can access the secure data from AGOL without a logon; however, we lose our SSO functionality, and network users have to manually sign into secured services.

Am I missing something? Is there a workaround to be able to use web-tier authentication while still storing credentials on AGOL items?

We are using AGOL to make available some of our secure services publically available from our enterprise systems. It has worked great in stand-alone deployments and on Portal when configured with portal-tier authentication. I just cannot get it to work when using web-tier authentication.

RyanUthoff · ‎05-19-2023

To my understanding, this is by design. I ran into this issue a few months ago and came to that conclusion. I can't remember if I found Esri documentation that stated that or not. I tried doing a quick search, but I can't find anything now.

I might be in a slightly different scenario, but we use Azure AD to authenticate, but left the ability to sign in using Portal built-in users enabled. With this method, you can have a dedicated built-in account that is used for hosting content on AGOL. And essentially, you can use that account to store the credentials in that item.

I'm not sure if you have that option with IWA or not. But if it's possible to have both built-in accounts and IWA accounts, then that might be the best solution.

LanceCole · ‎05-19-2023

@RyanUthoff,

Thanks for the quick reply. I to have not been able to find anything in the ESRI documentation. It does state that when using portal-tier authentication that SSO will not function. However, why can not you use a domain\user to access portal items from AGOL and why do they disable the save credentials when using web-tier authentication.

I also tried making services from a AGOL-Portal collaboration public but have the same results.

RyanUthoff · ‎05-19-2023

Ok, I didn't realize SSO won't function when using portal-tier authentication.

Yeah, I'm not sure why they don't let you store credentials with domain accounts. It might be a limitation of Esri being able to communicate with the domain controller or something like that. But that goes above my knowledge.

Todd_Metzler · ‎05-21-2023

Perhaps revisiting the end user's requirements may help. If the end user simply wants a Single Sign On (SSO) experience then that can be achieved without using IWA by enabling SAML authentication with your identity provider. Enabling SSO in this way with Portal tier authentication on both your Entperirse Portal and AGOL Organization does allow "pass thru" authentication between Portals as long as the account used is the same on both portals and the identity provider is the same. This option also allows the use of built in Portal accounts on both Portals to create authenticated handshake between the portals.

Depending on your environment and Internet access rules a collaberation between Portals may work.

Depending on your environment and Internet rules the trusted Portals method may work.

There are a number of different strategies available here. The important starting place is to fully understand your organization's computer user authentication strategy and leverage what works best for ArcGIS.

Understanding your web server environement is critical.

Undertanding tokens where they are generated and their life spans is also critical.

LanceCole · ‎05-25-2023

@Todd_Metzler,

You note that with SAML authentication should help resolve the issue we are experiencing. Can you please elaborate on that a little further?

We went ahead a configured our SAML identification provider with ArcGIS Enterprise and AGOL. However, we still are not able to store a credential on AGOL to access secured services on our Enterprise deployment. I believe SAML also does not use token based authentication to allow this to occur unless I missed something in configuring the authentication.

LanceCole · ‎05-26-2023

Well, after working with ESRI Support and trying multiple possible workarounds we have not found a solution to allow public access to secure portal services that are using web-tier authentication. AGOL is only able to store token based authentication such as when using portal-tier or named user authentication. ESRI support is still looking into a possible workaround but it does not look good.

I did create an idea to include this functionality on AGOL.

https://community.esri.com/t5/arcgis-online-ideas/allow-storage-of-web-tier-credentials-to-access/id...

LanceCole · ‎05-31-2023

Thanks to a comment by @BillFox posted on the idea referenced above, we were able to get SSO working with SAML on our internal network while still allowing AGOL to access using ArcGIS built-in account. We are using Windows ADFS as our SAML Identity Provider. It turns out that not all browsers are initially configured as WIA Supported User Agents by ADFS. By running the following command in PowerShell we added the missing browsers utilized by our users.

Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0", "Chrome", "Edg/", "Edge/")

Configure browsers to use Windows Integrated Authentication (WIA) with AD FS

Note that Firefox also requires some client-side configuration. Type in about:config and add the address of your ADFS server (e.g. fs.domain.com) to network.automatic-ntlm-auth.trusted-uris. This can be completed via GPO.