Hello all,
I am setting up a new environment - ArcGIS Enterprise 11.1 with federated server. I am using Portal-tier authentication so we have both Portal built-in users and enterprise Windows AD users (IWA with anonymous access in IIS). some info on that: https://enterprise.arcgis.com/en/portal/11.1/administer/windows/about-configuring-portal-authenticat...
I am researching forcing MFA in Portal. https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-security.htm#MULTIFACTOR
If I enable MFA in Portal - does that mean that all of the AD users that sign in like domain\username will have to use MFA? (or does this not affect the domain users?)
We have a website tab that, for it's map, uses the ArcGIS Maps SDK for JavaScript. I'm not a website developer so I couldn't tell you exactly how that works. I do know that it uses a username and password to access the Portal to get the map/feature service. There is a domain service account and a Portal built-in account it could use. How would MFA affect this?
Thank you! I appreciate any insight.
Solved! Go to Solution.
MFA will only be applied to built-in users, not AD users. If the JavaScript app is directing to Portal for the sign-in function, the MFA code would be required before the sign-in can be completed. There's no extra steps needed on the app side to allow for this.
If MFA needed to be applied to AD users as well, the saml option for authentication would need to be configured, and then the saml provider (Azure AD, Okta, ADFS, etc.) can be set up to require MFA every time during the sign-in process
MFA will only be applied to built-in users, not AD users. If the JavaScript app is directing to Portal for the sign-in function, the MFA code would be required before the sign-in can be completed. There's no extra steps needed on the app side to allow for this.
If MFA needed to be applied to AD users as well, the saml option for authentication would need to be configured, and then the saml provider (Azure AD, Okta, ADFS, etc.) can be set up to require MFA every time during the sign-in process
Hi @ReeseFacendini ,
Thank you! The documentation was confusing so thanks for clearing that up.
I also realized that Portal 11.1 only gives the users the option to set up MFA, there is no ability to enforce MFA (force the users). The ability to enforce MFA is only in AGOL at this time. https://www.esri.com/arcgis-blog/products/arcgis-online/administration/configure-multifactor-authent...
do you plan to use this too?
Use your portal with LDAP or Active Directory and portal-tier authentication
Hi @BillFox,
Yes, correct. I have configured the portal with Active Directory identity store and enabled anonymous access through the web adaptor in IIS.