Arcgis Enterprise security Single Sign-On (SSO)

9712
11
06-23-2015 12:49 PM
shafitrumboo
New Contributor III

I'm using Develop edition of WAB where I build custom widgets and download the application and deploy it locally. So at end I will be having multiple web application and also I have some other Non-GIS application. I wrap the downloaded WAB application in aspx (.net) page for security reasons. I know I can have only one application based on WAB and can show /hide widgets and load different web maps loading different configuration settings but I assume that will not make any difference related to security and also I will be having some other applications.

Although I have ADFS in place and we want SSO in our all applications and I saw it can achieved using ArcGIS Portal ( I will use portal only for creating web maps and assign permissions). But I assume we need named users for portal for giving permission to web maps that we will usedn developer edition of WAB applications but that can be a rider for me, Am I right? ( I want to make sure because I will talk to management and put this case)

Is there any other options where can achieve same may be using GIS server authentication and ArcGIS services server through proxy.

Robert Scheitlin, GISP

Since I'm assume you are using WAB and secure services can you please enlighten me with your valuable inputs.

0 Kudos
11 Replies
DustinHobbs
Esri Contributor

Greetings Shafi,

Essentially it all depends on how you share the application from within Portal for ArcGIS.

For instance if you only wanted members of Portal for ArcGIS to access the web application then the application would need to be shared with organization. Then all named users of Portal for ArcGIS would have access to the application. 

If you wanted members of a particular group to access the web application then the application would need to be shared with that group. Then all named users of Portal for ArcGIS whom are members of the group would have access.

If you created an application and wanted to grant public access but not require them to be a named user within Portal for ArcGIS. Then you'd want to enable Anonymous access and then share the web application with Everyone.

I hope this information helps.

0 Kudos
shafitrumboo
New Contributor III

This is not my question I don't have serve applications from Portal contrary to that I download the app, deploy and serve it on my web server.

I want to avoid if possible to named users because of its license.

0 Kudos
DustinHobbs
Esri Contributor

Shafi,

If you could please clarify your question? I understand that you are using the WAB Developer addition and have it deployed to your web server. I guess I'm confused on your concern with named users.

With this type of configuration named users would not come into play unless the ArcGIS Server, where the map services are being consuming from, is federated with Portal for ArcGIS.

0 Kudos
shafitrumboo
New Contributor III

Let me explain you my workflow

1. I publish the service using arcgis server

2. I create a web map using Arcgis portal

3. Using developer edition of WAB We created multiple web application in sync with our business requirements.

4. We download these web application and deploy them on our web server

5. We also wrap them in .net for security reasons and also we integrate them with ADFS

6. We have other application that are not arcgis based

7. We use ADFS3 to have SSO for all applications.

8. We have one application for managing applications access. In our database we have list of application and list of assigned application to user.

9. Also Our default home page we call it app launcher lists application depends on user permissions after successful login using ADFS. The permission code and configuration is custom build but apparently we use AD users.

This is working fine perfectly but you see we have not done any permissions for ArcGIS services or we maps.

Today I  federated ArcGIS Server site with portal and configured ADFS. Then I shared the Arcgis service (EIA_Service) and web map (EIA_WEBMAP) with one group ( I have added  one AD user to that group also). If I login in  Arcgis portal using that user through ADFS I'm able access the items that are shared with that user. But when I access the application after successful login through ADFS (This application is also relying partner inADFS) where these EIA_Service and EIA_WEBMAP is used it prompts me with login window again.

Note: My application and ArcGIS portal are hosted on different servers.

ADFS2.jpg

Derek Law​ Please provide your thoughts

Jayanta Poddar

0 Kudos
JonUjkani
New Contributor II

Hi Shafi,

I'd like to give you something else to think about:

When you login through ADFS into your WAB application you're only granted permission into that app. The SAML token passed I believe is valid only for that web app (service provider). The moment your web application tries to access a secured Portal WebMap (that's another SP) the login has to happen again (portal has no idea you have already logged in).

Given your workflow, it looks to me for Portal ADFS configuration you need to configure Identity Provider initiated logins. Look here: Configure Active Directory Federation Services—ArcGIS Online Help | ArcGIS  and here http://stackoverflow.com/questions/12779532/diffrence-between-sp-initiated-sso-and-idp-initiated-sso

This way when user logs in once through the regular ADFS login page, it's ADFS that forwards the login request to the Service Provider (Portal). This should achieve the SSO you're looking for.

Jon

shafitrumboo
New Contributor III

Thanks for your email,

We are using ADFS 3 and can't change these things

0 Kudos
NicolasGIS
Regular Contributor

Hello Shafi trumboo,

I am having the same problem after having configured Portal for arcgis 10.3 with an authentification SAML2 as Service Provider and defined groups/users with Active Directory.

Calling secured web map services of the federated ArcGIS server from another server configured with SSO SAML2 as well, brings me the same login window.

Did configuring Portal for ArcGIS as an Identity Provider solve this issue ?

Thanks,

Nicolas

0 Kudos
NicolasGIS
Regular Contributor

Hi Jon,

I am having the same kind of problem as Shafi and there is still something I don't understand:

why is this pop up showing up instead of redirecting to the SP Portal is configured to deal with. Then, the SP would handle the rest.

What have I missed ?

Thanks,

Nicolas

0 Kudos
NicolasGIS
Regular Contributor

Hello Jon,

I tested configuring Identity Provider initiated logins and it did not solve the problem (maybe I missed something but I don't think so).

I think it is rather that you have to use OAuth 2.0 based authentication in the Javascript in order to get an 'SSO experience'

Working with secure resources | Guide | ArcGIS API for JavaScript 3.17 

And this did the solve the pop-up problem.

Nicolas

0 Kudos