Our team recently encountered a significant limitation in ArcGIS Experience Builder and Operations Dashboards that affects organizations using hybrid AGOL + Portal architectures. After working extensively with Esri Support (Case #04081687), we’ve confirmed that the current embed widget does not support passing credentials from ArcGIS Online (AGOL) into Portal to retrieve embedded content. This gap creates challenges for organizations that need to securely display internal content in AGOL-hosted apps.
The Problem
We collect hundreds of thousands of photos every year using Survey123. To manage this quantity of photos, we ingest, rename and store them in our Azure file system in folders by site. Rather than have users manually open each photo, we generate HTML pages of each folders contents. These HTML pages display thumbnails of all photos within its respective directory, photo names, photo comments and links to open the source photo. This photo directory including the HTML pages are web enabled using Esri Attachment Manager SOE for and the HTML pages can be embedded into a various applications to improve photo access. When embedding HTML pages hosted on an internal Portal for ArcGIS, AGOL apps fail to display the content because credentials are not passed through. While other data layers from Portal authenticate correctly, the embedded HTML pages trigger repeated authentication loops and ultimately fail to load.
What We Tried
- Adjusting X-FRAME-OPTIONS headers via IIS on the Portal Web Adaptor allowed partial progress but introduced global risks and conflicts.
- Alternative approaches using Content-Security-Policy frame-ancestors also fell short.
- The root issue: No configurable option exists in Experience Builder or Dashboards to enable credential passthrough between AGOL and Portal.
Proposed Solution
Esri should provide:
- A configurable setting in the embed widget to allow trusted credential passthrough.
- A global option in Experience Builder/Operations Dashboards to manage headers like X-FRAME-OPTIONS or similar security directives.
Why This Matters
This limitation forces organizations to:
- Duplicate applications across environments.
- Use insecure workarounds that compromise governance.
- Spend additional resources maintaining parallel systems.
Use Case
Our organization recently migrated from in-house servers with IIS capabilities to an ArcGIS Enterprise Portal architecture hosted in a Microsoft Azure environment, and we’ve begun leveraging the Esri Attachment Manager SOE for managing embedded HTML content. Historically, this workflow was seamless:
- We maintained a suite of applications built in our Organizational ArcGIS Online (AGOL) site accessible to internal staff and shared to external partners via GeoPlatform ArcGIS Online Organization.
- Internal users could view embedded HTML content within Operations Dashboards and Experience Builder (ExB) because their authentication tokens passed through successfully.
- External contractors, who lacked credentials, would simply see a warning message which is an acceptable outcome for our use case.
This approach allowed us to maintain a central repository of applications for all users rather than building multiple, user-specific apps across different environments.
Since moving to the Microsoft Azure-hosted Portal environment, we’ve encountered a limitation:
- Dashboards and ExB apps built in AGOL can still authenticate users to pull data from internal REST services.
- However, they cannot pass that same authentication to retrieve content from the Attachment Manager SOE.
- As a result, embedded HTML pages/widgets fail to load for internal users, breaking workflows that previously worked flawlessly.
To replicate our previous functionality, we now have to:
- Build separate apps within the Portal environment for internal users.
- Maintain duplicate workflows or split processes across multiple interfaces.
This adds unnecessary complexity, increases maintenance overhead, and undermines the efficiency of our centralized application strategy.
Our field staff and partners rely on these tools for mission-critical operations. The inability to pass credentials for embedded content forces a fragmented architecture. A solution that enables credential passthrough for embedded content would restore the simplicity and reliability we had before migration.
