Portal single sign on across domains

133
3
09-09-2019 10:04 AM
Highlighted
Occasional Contributor II

Trying to get Single Sign-On set up on a Portal site. 

Our Portal is using active directory, and it works as desired for our typical user - on a physical machine, signed in with their AD credentials.

The issue here is that we have a good chunk of users who use Virtual desktops.  Our Virtual Desktop environment sits on a different domain (domain 2) , however users still use their domain accounts from the same domain that our Portal is on (domain 1).  The 2 domains have trust relationships or similar to enable this.

Single Sign-On does not work currently for these Virtual users, even though they get to the their virtual desktop with the desired domain 1 AD account. 

I was looking at simply adding a trusted domain in the Portal settings for domain 2, but the documentation says wildcards are not supported - so adding *.domain2.myorg.com doesn't work.  I don't believe that we can get a fully-qualified name for the domain 2 VDI environment  

Restrict cross-domain requests to your portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterpris...

I'm thinking we can make this work since the VDI users are using their domain 1 accounts to sign in, but am not sure where to add domain 2 as a trusted domain, or if that's even the right path to go down.  

Any thoughts on how to proceed in this scenario to get SSO up and running - it's fairly critical for some applications we have in this Portal.

Thanks - 

Allen

Reply
0 Kudos
3 Replies
Highlighted
Frequent Contributor II

Security issue with portal. Your users may need to VPN into the local network then they should be able to use single sign in. Or you may need to allow firewall access to the external virtual users. 

Reply
0 Kudos
Highlighted
Esri Contributor

Hello,

You could look into adding some additional parameters to your IWA/LDAP configuration within Portal Administrator. Namely, the additional domain settings. Are these domains within the same forest? 

Update Identity Store—ArcGIS REST API: Administer your portal | ArcGIS for Developers 


Another option, which may be a better fit for your current setup, is SAML logins? I think you may have more luck (and find more detailed documentation as many organizations would be setting up SAML logins for other applications like O365) linking an identity provider like ADFS to use separate domains as opposed to using the Portal software to do so? This might have better long-term success as IDPs are built for this purpose? Just a thought.

Configure a SAML-compliant identity provider with your portal—Portal for ArcGIS (10.7 and 10.7.1) | ... 

Hope this helps!

Travis

Reply
0 Kudos
Highlighted
Occasional Contributor II

Thanks Travis - 

I'm going to check out the 1st option initially, since it seems like the path of least resistance. Will post back with results.

And yes, domains are in the same forest.  The VDI users use the 'correct' domain account to sign in, it's just the VDI environment as a whole sitting on the other domain.