Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

11027
19
Jump to solution
05-24-2016 12:06 AM
ChristineLarsen
New Contributor III

We've set up our Portal environment using Integrated Windows Authentication (IWA) giving our user a single sign-on experience using Windows Active Directory (AD). The problem we're facing is that any content being accessed by someone without a name user are asked to log on to the Portal even though the content is shared with "everyone".

We want our named users to have the full Portal experience whereas our non-named users should only have access to content that are shared with "everyone". Is there a way to configure both single sign-on and anonymous access to the Portal?

0 Kudos
1 Solution

Accepted Solutions
ChristineLarsen
New Contributor III

Thank you for the feedback. By adding the portal server to trusted sites in IE, we've been able to get rid of the pop-up sign-in window for domain users without a named user license in portal. They are now able to access the content that is shared with everyone.

View solution in original post

19 Replies
JonathanQuinn
Esri Notable Contributor

You can install another web adaptor and leave the authentication at Anonymous and then make sure that "Allow anonymous access to your portal" is enabled.  Please note that the recommendation is to disable anonymous access.

I apologize for the misleading information, but after a bit more research and discussion, this is NOT possible.  In order to register two different web adaptors with Portal, you need to set the Web Context URL:

This defines an entry point into the Portal, and in the case of multiple web adaptors, it's meant to be a load balancer that can balance requests to the web adapters.  Setting the Web Context URL also disables this error from coming up, so you can actually register multiple different web adaptors to Portal, even if you don't intend on using the web context URL to balance requests to them.  This may make it seems like you can have multiple web adaptors with different security settings, but that's not the case.  To put this in perspective, let's say you have a Portal you want configured with IWA, and you set the Web Context URL to point to a reverse proxy that then points to a web adaptor that is open, for example https://public_portal.domain.com/open.  This allows anonymous access.  You have a separate web adaptor configured with IWA that's accessible through your internal network, so domain users can sign in and create content, accessible through https://internal_portal.domain.com/iwa.  Since only named users create content, all items are created with the URL set to https://internal_portal.domain.com/iwa.​  When named users create content, the URL for those items are going to point to ​ https://internal_portal.domain.com/iwa​, so when external users reach the portal through https://public_portal.domain.com/open​, all items will reference https://internal_portal.domain.com/iwa​, and they won't be able to reach the item as they can't be authenticated correctly.  We are going to update the documentation to explain this further.  I'm also interested in how Adam from that other post configured his Portal.

PaulDavidson1
Occasional Contributor III

Hey Jonathan:

When you get a chance, could reply to my question regarding this scenario in thread:

Portal Login Issues or Limitations?

I think these are basically duplicate threads and I have been told by Esri that Portal can only have one WA.

Thanks...

0 Kudos
GISSupport3
Occasional Contributor III

What version is this supported at? Thanks.

0 Kudos
JonathanQuinn
Esri Notable Contributor

This currently isn't possible at any released version.  There's no way to have different entry points into a Portal, as the items contain pointers to only one URL.  You'll need to look into using SAML​ as Randall and a few others mentioned in this thread.  Someone did report some success when using two web adaptors, but testing internally, there were certain workflows that failed due to having multiple entry points with different security mechanisms.

0 Kudos
GISSupport3
Occasional Contributor III

That's a shame.

Like others, we would like one Portal with multiple authentication access:

- public, no login, viewe data shared with everyone

- company, login, view data shared with Portal

- user (named), login, view data shared with groups

- other?

0 Kudos
JonathanQuinn
Esri Notable Contributor

Paul, not sure if editing a post gives you a notification, but let me know if my updated post makes sense.

PaulDavidson1
Occasional Contributor III

Thanks for the detailed update above.  Makes sense!

0 Kudos
ChristineLarsen
New Contributor III

Thank you for the feedback. By adding the portal server to trusted sites in IE, we've been able to get rid of the pop-up sign-in window for domain users without a named user license in portal. They are now able to access the content that is shared with everyone.

AdamRepsher
Occasional Contributor III

Christine Larsen‌ - Do you have a Single Sign-On environment for users in Active Directory (don't have to log in to Portal) and anonymous access?

0 Kudos