Allow ArcGIS Server Federation with ArcGIS Online

PF1

Please consider allowing ArcGIS for Server federation with ArcGIS Online. We have many on-premise ArcGIS Server deployments using either 'token' based authentication or 'web-tier' (Microsoft Integrated Windows Authentication). For publicly hosted 'secured' content we are striving to shift towards the use of enterprise logins with SAML to tie in our corporate identity stores and solve Two Factor Authentication (TFA). Currently, the only way to integrate with SAML on an ArcGIS Server is to federate it with a "Portal for ArcGIS" product (on-premise ArcGIS Online). While technically that is feasible, we are struggling managing two public portals: one for cloud hosted content (ArcGIS Online) and one for on-premise hosted content (ArcGIS Server). We would like to expose our on-premise content to our ArcGIS Online portal (via server federation) so that we can use only 1 portal and meet requirements to integrate with SAML. The user experience switching between portals (from ArcGIS Desktop and Collector for ArcGIS) are not intuitive to end users. Thanks!

BillFox · ‎10-28-2016

Good idea,

As of now I think you can do a hybrid with a public facing ArcGIS Server in the DMZ.

secure the publishing folder with built-in user name/password
share the secure service of your on premise enterprise geodatabase feature class to AGOL and use option to save user name/password with the service
SAML AGOL to your AD
add AD users to AGOL, groups, etc.
but editor tracking from AGOL will probably post the built-in user instead of the SAML one
on premise portal would post the correct AD user

-Bill

MikeDahm · ‎05-10-2018

Are there any updates on this? We have several municipal clients that use ArcGIS Server and ArcGIS Online and saving the credentials to Online makes all edits show as the saved credentials. They are smaller municipalities that rely on us for their GIS needs. Adding Portal to their deployments just isn't feasible right now. Having users login multiple times (once to AGOL and once to the layers) would be a real pain for field crews and less technical personnel. It also becomes a problem with users needing to remember 2 different accounts and passwords. Being able to properly utilize editor tracking from their SQL database and ArcGIS Server through ArcGIS Online would be a huge help.

SzymonPiskula1 · ‎05-17-2018

What if you registered some of Server services in AGOL storing the credentials? They would then only have to log in to AGOL. Credentials would be stored in the item once registered:

ArcGIS Server web services—ArcGIS Online Help | ArcGIS

MikeDahm · ‎05-17-2018

That is the process we currently use but the editor tracking then uses whatever saved credentials for that services for all creation and last edited by. You can't tell who was logged into ArcGIS Online to do the edits. So if you have 5 users that are setup through ArcGIS Online to access a feature layer that has stored credentials all of their edits will show the stored credentials as the editor or creator of features.

Anonymous User · ‎06-14-2019

OK silly question here. I'm trying to set up Portal and slowly get in to Pro.

It appears if I enable licenses for Pro for our Portal, that if I for example take my laptop out of the building to another network, it won't work. Now, I could go into the manager and re-license to AGOL. But that's hassle and also some users don't have ability to do that themselves. Is the idea of this thread to allow for one credential, which would work for both simultaneously? That would be good. Until then I think a lot of large entities will hit this roadblock and simply wait on Pro for this to be implemented. This is one of those things where at first I was just hoping I wasn't understanding it right but I think it is designed this way currently. This mirrors the issue of publishing directly to Server from Pro in that it's an important design concept and issue.