Select to view content in your preferred language

Allow storage of web-tier credentials to access secure portal web services

762
4
05-26-2023 07:13 AM
Status: Open
LanceCole
MVP Regular Contributor

We have always utilized a hybrid ArcGIS deployment - with our own ArcGIS servers and portal for internal use using secured services and referencing the services we would like to make public on AGOL.  Up until deploying ArcGIS Enterprise 11.1 we had always utilized portal-tier authentication which allowed us to store credentials on services shared on AGOL as a token.  Storing the token allows public users to view selected secure services on our internal ArcGIS Enterprise deployment without having to enter any credentials.  Access to these services are typically limited via AGOL to only be accessible through specific published applications or URLs.

With the deployment of ArcGIS Enterprise 11.1 we elected to federate our ArcGIS servers and integrate user credentials with IWA and later SAML.  This allows internal users to experience a single sign on (SSO) when on the internal domains.  However, AGOL does not have the ability to store a users credential when utilizing web-tier authentication.  AGOL can only store token based credentials when using portal-tier authentication.  Therefore, we cannot allow limited public access on AGOL to a selection of our internal secure services.

Please develop a means to access secure portal services via a specified stored username/password from AGOL that could be authenticated using web-tier authentication.  This would be appreciated on the service level and the app level.

 

4 Comments
BillFox

Is your portal configured to allow both single sign on with saml and built-in users?

LanceCole

Yes, IWA or SAML and built-in users work fine when configured for portal-tier authentication.  However,  SSO does not work in this configuration and authenticated users are prompted to login to access secure services.  This is by design and documented in the links above.  When using portal-tier authentication one can access secure services using stored credentials on AGOL and make them public using a built-in account.

If the enterprise deployment is changed to web-tier authentication, the SSO works great but you can no longer store credentials on AGOL to access the secure services from the portal.  You are not even offered the option to toggle this function.  It is my understanding that AGOL can only work with token based authentication and does not support web based authentication which is required.

There is a question posted at Allow AGOL access to a secured enterprise portal if you have some additional info you are willing to share.

Jen_Zumbado-Hannibal

@LanceCole  can you try a distributed collaboration? I house aerials on AGOL and then through distributed collaboration I share them with our Enterprise Portal with a built-in user account. 

LanceCole

@Jen_Zumbado-Hannibal

We are trying to do the opposite and access our portal data via AGOL. One of the main reasons is our imagery is in the terabyte range and would be prohibitive to host on AGOL.  The second is we need near real-time data updates for our spatial data.  We did attempt to utilize a distributed collaboration by reference but still ran into the issue of not being able to store user credentials while utilizing web-tier authentication.

We did find a resolution by utilizing SAML authentication on our portal while still being able to access the data via a built-in user account.