As an organisation, I would like to have the whole ArcGIS Enteprise API surface to be secured by SAML.
Currently, I disabled anonymous access to the portal website, disabled built-in account, disabled content to be shared publically, and still the sharing API is publically accessible, enabling user to post parameters while making search and other REST end points making the architecture very vulnerable. Needless to mention that disabling directory services is not solution...
Is there a way to have the ArcGIS Enterprise as secured as it would be with web-tiers authentifcation but using SAML authentification ? I want the whole context (ie: "/portal") to be secured with SAML.
How can I do so ?
I don't believe there is a way, currently at least, to secure the Portal Admin API via SAML. If I were to guess, I would say it's probably because if SAML suddenly stops working, a built-in administrator account will still be able to access the API and perform troubleshooting tasks.
Thanks for your reply.
I am not even talking about the Portal Admin API but the whole sharing API: "sharing/rest/".
To me only "sharing/rest/oauth2/" should be allowed for anonymous with my configuration (portal website secured, data shared publicly disabled, built-in account disabled).
Also, I am not sure Portal Admin is the issue... Does Portal Admin works with SAML ? Isn't authentification with the PSA account ?
To my knowledge there isn't a way to lock that down "sharing/rest/" because of it's connections to multiple parts of Enterprise. Tech Support may be able to provide a more detailed answer.
What you are referring to is the ArcGIS Portal Directory, check the link below, it appears as if you can restrict access to it.
Hi @GeoffreyWest ,
Thanks for your reply. You cannot restrict access with this option and that what I meant in my original post "Needless to mention that disabling directory services is not solution..."
Indeed, it only disables HTML version giving you the false impression that it is secured but you can still query it with xhr or raw HTTP GET and POST !
I agree that "sharing/rest/oauth2/" should be the only unauthenticated end point available as it is used for the SAML login "sharing/rest/oauth2/saml" but otherwise, for the rest of the "sharing" surface, I don't think it has to be publicly exposed.
Indeed, if using web tiers auth, all the surface is secured so I believe the same mechanism could apply for SAML.
I think I gonna create an idea as it does not seem to be available out of the box surprisingly.