SAML or IWA...

3439
4
01-30-2017 04:41 PM
travisslack1
New Contributor III

Hello,

I was having issues with my federated portal/server set up and the ESRI tech informed me the username that manages the service has to be apart of the domain the other users are apart of. In my case the ArcGIS user was installed as a local user. From what I gather I need to create a service account that does not expire. The issue I seem to have is that our domain server is a Windows 2003 box.... and service accounts were introduced in 2008 but I see its possible in 2003? Has anyone done this? The server this is on obviously has active directory and a lot of other important things on it for the company so I am some what apprehensive about this but can be persuaded with success stories. I pretty much have everything set up at this point so this is obviously the route i'd prefer going.

With a SAML set up, everyone on the domain would basically be able to log in to ArcGIS online with their domain login eg <domain>\<user> (everyone in the office correct ~30 people)?? Do I understand this correctly? If I have to go this route and I download a Web AppBuilder app created with ArcGIS Online to host on my server locally, I assume that if I've shared the app/webmap with my "Organization" it will still prompt for credentials when they try to access the downloaded web app i host on my server?  

Tags (2)
0 Kudos
4 Replies
AdamZiegler1
Esri Contributor

Hi Travis - I'm not completely sure the ArcGIS server account needs to be part of AD, but I have set up environments like this in the past with success. This method is preferred if you start scaling horizontally, i.e. adding machines to the site. As for logon issues, since you are federated the identity manager is Portal. Are you able to log in to portal? The same credentials that get you into Portal will also get you into ArcGIS Server. You need to make sure that the identity you are using is an Admin or Publisher. If I missed what you were asking on this topic, redirect me.

As for the SAML question....if you go this route the domain credentials would be used to access content only shared within the organization, so yes (if they are not already signed into Portal) they would be prompted for authentication. In my organization, I'm prompted to use my domain account or an ArcGIS account; by selecting domain I am authenticated automatically.

-Adam Z

0 Kudos
travisslack1
New Contributor III

Thanks again.  Esri Tech told me it does not need to be a service account so I used an existing account on the domain. But because my portal/server is on a different domain than are active directory my support ticket has been escalated.

Thanks

JonathanQuinn
Esri Notable Contributor

I wouldn't think it would be a problem for Portal and Server to be on separate domains yet use IWA for Portal.  The reason is because Server doesn't need any access to the Portal AD.  All of the authentication occurs on the Portal end and then, I believe, simply sends the authorization information that's already validated to the Server.  If the user can be validated in the Portal, then they should be able to reach the service.  I'm not sure your setup is very common though and there could be some unknowns or "gotchas" involved.

0 Kudos
travisslack1
New Contributor III

ESRI email support got it all sorted for me. The solution was to put https://web.domain.com/ (which I have forwarding to web.domain.com/arcgis/home and also runs on a different server example.domain.local whereas AD runs on domain.local) to the local intranet sites in internet options for each user and it passes the credentials on. All it took was a email to the office to explain what to do. All good on the IWA on a different domain now. And yeah I don't doubt its very common. When our IT guy gets some time AD has to be ported from a 2003 windows server to the 2012 one everything is currently on. Thanks for the help folks. 

0 Kudos