We have installed AGS Server with SecMgr NEXT un-federated.
We do now have a complete prototype (AGS + SecMgr NEXT SOI + UserInfoService + LDAP emulator) up running and working.
By chance (leaving AGS map services open in a Chrome browser (user logged on via HTTP Basic - no activity) for hours) we observed via our logs the following behavior:
- Start a Chrome TAB with a secured map service. (no AGS-token)
- HTTP Basic authentication is triggered.
- This involves two LDAP requests:
- Is user a valid user?
- Get user’s entitlement roles.
- Subsequently, the user gets to see the main map service page.
- The user then activated the “ArcGIS Online Map Viewer”
- This triggers a second HTTP Basic authentication.
- Finally, the user is presented with the map view and he/she can now freely manipulate the map with no additional authentication requests.
- The user completes his map view tasks but leaves the map viewer open!
- After ~60 minutes AGS server re-authenticates automatically via LDAP! However, AGS does not re-request the user’s roles! (The user’s roles could have changed anytime within the previous 60 minutes))
- After another ~60 minutes the very same pattern is repeated.
This behavior raises two issues:
- A user can basically stay logged on forever (or until AGS gets restarted).
- Changes to the user’s entitlements will never be detected as long as he/she remains logged on.