It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain. And by pass-through I mean that the user’s Windows Active Directory credentials are automatically passed to the browser (and ArcGIS Enterprise) without the need to re-enter a username and password. The same functionality is inherited and available (so I’ve been told) to custom web app builder (WAB) applications that are being served within our intranet also.
My questions: Are the above statements correct, and if they are can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication? If this is possible what ESRI products do I need within our Windows environment- do I need ArcGIS Enterprise at all to achieve this pass-thorough functionality with AGOL?
Solved! Go to Solution.
Hi Dion,
> It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain
Yes, ArcGIS Enterprise supports enterprise logins, see this help topic:
About configuring portal authentication—Portal for ArcGIS (10.6) | ArcGIS Enterprise
> ... can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication?
ArcGIS Online also supports enterprise logins, see this help topic:
Set up enterprise logins—ArcGIS Online Help | ArcGIS
Hope this helps,
Hi Dion,
> It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain
Yes, ArcGIS Enterprise supports enterprise logins, see this help topic:
About configuring portal authentication—Portal for ArcGIS (10.6) | ArcGIS Enterprise
> ... can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication?
ArcGIS Online also supports enterprise logins, see this help topic:
Set up enterprise logins—ArcGIS Online Help | ArcGIS
Hope this helps,
Thanks very much for this info Derek - it will be really helpful. Also, I'm trying to find out if it's possible to configure seamless (no username and password) authentication to Portal or AGOL for those users already authentication to our AD domain. Something like Azure Active Directory Seamless Single Sign-On?
Edit: I'm zeroing in on (at least the terminology for) what I'm after now. I see that Integrated Windows Authentication (IWA) can be configured for ArcGIS Enterprise Portal. So with IWA and Portal an authenticated AD user doesn't need to enter username or password. I've not been able to find any mention of IWA and ArcGIS Online - am I out of luck?
Hi Dion,
> I've not been able to find any mention of IWA and ArcGIS Online - am I out of luck?
Correct. ArcGIS Online only supports what's listed here,
Sign in—ArcGIS Online Help | ArcGIS
Hope this helps,
Very helpful thread! Although, I am still a bit confused about the existence of single sign-on (SSO) for ArcGIS Online organizations using enterprise logins from Windows AD.
The last two replies (Dion and Derek) are sounding like a SSO experience is not available for AGOL, but when I read this:
IDP-initiated logins
With IDP-initiated logins, members directly access their enterprise's login manager and sign in with their account. When the member submits their account information, the IDP sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.
from here Set up enterprise logins—ArcGIS Online Help | ArcGIS
it sounds like it is available.
I'd love to get some clarification on this from Derek or anyone. Thanks.
Hi Lee,
Sorry for the late reply, I did not see the thread update notice until today.
I can confirm that SSO is available with ArcGIS Online organizations when you configure enterprise logins with your organization. However, the end user would still need to click the "Sign in" link when they initially load the ArcGIS.com web page. They won't need to provide credentials, but they will need to click the link and select the IDP provider.
Hope this helps,
Ok, thanks Derek for that clarification. I thought that that was the case when a while back I read something about using Azure AD to configure enterprise logins with ArcGIS Online organizations. So I think I am getting a better idea of what is involved in order to attain SSO...the many AGOL users here at the City would appreciate it.
Hi Derek,
They won't need to provide credentials, but they will need to click the link and select the IDP provider.
If we choose to disable the built-in account option leaving only one IDP provider, does this remove the second click from your description above?
Thanks!
Hi @HeatherM_JDI,
> If we choose to disable the built-in account option leaving only one IDP provider, does this remove the second click from your description above?
I honestly don't know as I have not tested this configuration. Sorry.
@KellyGerrow do you know if this is possible?