ArcGIS Enteprise: secure all API surface ?!

923
7
04-22-2021 10:44 AM
NicolasGIS
Regular Contributor

Hello,

As an organisation, I would like to have the whole ArcGIS Enteprise API surface to be secured by SAML.

Currently, I disabled anonymous access to the portal website, disabled built-in account, disabled content to be shared publically, and still the sharing API is publically accessible, enabling user to post parameters while making search and other REST end points making the architecture very vulnerable. Needless to mention that disabling directory services is not solution...

Is there a way to have the ArcGIS Enterprise as secured as it would be with web-tiers authentifcation but using SAML authentification ? I want the whole context (ie: "/portal") to be secured with SAML.

How can I do so ?

Thanks,

Nicolas

0 Kudos
7 Replies
ReeseFacendini
Esri Contributor

I don't believe there is a way, currently at least, to secure the Portal Admin API via SAML.  If I were to guess, I would  say it's probably because if SAML suddenly stops working, a built-in administrator account will still be able to access the API and perform troubleshooting tasks.

0 Kudos
NicolasGIS
Regular Contributor

Thanks for your reply.

I am not even talking about the Portal Admin API but the whole sharing API: "sharing/rest/".

To me only "sharing/rest/oauth2/" should be allowed for anonymous with my configuration (portal website secured, data shared publicly disabled, built-in account disabled).

Also, I am not sure Portal Admin is the issue... Does Portal Admin works with SAML ? Isn't authentification with the PSA account ?

Thanks

0 Kudos
ReeseFacendini
Esri Contributor

To my knowledge there isn't a way to lock that down "sharing/rest/" because of it's connections to multiple parts of Enterprise.  Tech Support may be able to provide a more detailed answer.

0 Kudos
GeoffreyWest
Occasional Contributor III

Hi Nicholas, 

What you are referring to is the ArcGIS Portal Directory, check the link below, it appears as if you can restrict access to it.

 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/disabling-the-arcgis-portal-direct...

0 Kudos
NicolasGIS
Regular Contributor

Hi @GeoffreyWest ,

Thanks for your reply.  You cannot restrict access with this option and that what I meant in my original post "Needless to mention that disabling directory services is not solution..."

Indeed, it only disables HTML version giving you the false impression that it is secured but you can still query it with xhr or raw HTTP GET and POST !

 

Thanks

0 Kudos
GeoffreyWest
Occasional Contributor III
Ah, I misunderstood. I believe that resource is required. Especially when
you start to you use things like oAuth2 and registering apps, the app needs
to be able to send requests to the sharing site to authenticate against
Portal. I could be wrong in my thinking, but those are my 2 cents.
0 Kudos
NicolasGIS
Regular Contributor

I agree that "sharing/rest/oauth2/" should be the only unauthenticated end point available as it is used for the SAML login "sharing/rest/oauth2/saml" but otherwise, for the rest of the "sharing" surface, I don't think it has to be publicly exposed.

Indeed, if using web tiers auth, all the surface is secured so I believe the same mechanism could apply for SAML. 

I think I gonna create an idea as it does not seem to be available out of the box surprisingly. 

0 Kudos