We are looking for ways to share some of our hosted feature layers with another non-Esri GIS system. We know they can ingest WMS/WFS OGC services and that we can secure these services and authenticate using tokens.
But we would like to look into a more secure option for these services; is there anyway other than enabling LDAP and PKI (https://enterprise.arcgis.com/en/portal/10.7/administer/linux/use-ldap-and-pki-to-secure-access-to-y...) to secure services with certs or keys?
Would it be possible to keep using built-in Portal accounts as the primary form of authentication and enable LDAP/PKI for a few use cases? Has anyone else tried anything like this before?
We are running ArcGIS Enterprise 10.7.1 on Linux.
The way that I've always treated this discussion with my clients is that IWA (Windows) or PKI/LDAP (Linux) is an authentication step before you get to the Enterprise Portal, i.e. the Web Adaptor determines if you can pass through to the Portal Component.
Simply, if you're registered not in the AD/LDAP, you're not getting to the Enterprise Portal.
This means this approach excludes the use of Portal Tokens and SAML2. For those options to work, you have to be able to pass through the Web Adaptor anonymously.
Therefore, I do not believe you can do both authentication options from the same portal.
On the OGC/Security front, if you have a non-federated ArcGIS Server, then you can get creative with the authentication in front of it. IP to IP restrictions, HTTP Basic etc - however, this is going to be global security to the server, and is not web-service specific. That can be limiting. The wider issue that I've observed is that there is no true security/authentication standard for OGC clients, and with so many options out there, I'd argue that some of those developers need to incorporate esri tokens security as an option/addin/extension to their products.
It's an interesting/grey area that has tripped several of my clients up.