Pass-through authentication ArcGIS Online?

2278
9
Jump to solution
03-02-2019 02:44 PM
DionLiddell
New Contributor III

It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain. And by pass-through I mean that the user’s Windows Active Directory credentials are automatically passed to the browser (and ArcGIS Enterprise) without the need to re-enter a username and password. The same functionality is inherited and available (so I’ve been told) to custom web app builder (WAB) applications that are being served within our intranet also. 

My questions: Are the above statements correct, and if they are can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication?  If this is possible what ESRI products do I need within our Windows environment- do I need ArcGIS Enterprise at all to achieve this pass-thorough functionality with AGOL?

1 Solution

Accepted Solutions
DerekLaw
Esri Community Moderator

Hi Dion,

> It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain

Yes, ArcGIS Enterprise supports enterprise logins, see this help topic:

About configuring portal authentication—Portal for ArcGIS (10.6) | ArcGIS Enterprise 

> ... can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication?

ArcGIS Online also supports enterprise logins, see this help topic:

Set up enterprise logins—ArcGIS Online Help | ArcGIS 

Hope this helps,

View solution in original post

9 Replies
DerekLaw
Esri Community Moderator

Hi Dion,

> It’s my understanding that web maps and apps created with ArcGIS Enterprise have the capability to allow ‘pass-through’ authentication when these items are viewed in a web browser within our local Windows-based intranet domain

Yes, ArcGIS Enterprise supports enterprise logins, see this help topic:

About configuring portal authentication—Portal for ArcGIS (10.6) | ArcGIS Enterprise 

> ... can ArcGIS Online (AGOL) also be configured with Windows authentication and the same pass-through authentication?

ArcGIS Online also supports enterprise logins, see this help topic:

Set up enterprise logins—ArcGIS Online Help | ArcGIS 

Hope this helps,

DionLiddell
New Contributor III

Thanks very much for this info Derek - it will be really helpful.  Also, I'm trying to find out if it's possible to configure seamless (no username and password) authentication to Portal or AGOL for those users already authentication to our AD domain.  Something like Azure Active Directory Seamless Single Sign-On?

Edit:  I'm zeroing in on (at least the terminology for) what I'm after now.  I see that Integrated Windows Authentication (IWA) can be configured for ArcGIS Enterprise Portal.  So with IWA and Portal an authenticated AD user doesn't need to enter username or password.  I've not been able to find any mention of IWA and ArcGIS Online - am I out of luck?

DerekLaw
Esri Community Moderator

Hi Dion,

> I've not been able to find any mention of IWA and ArcGIS Online - am I out of luck?

Correct. ArcGIS Online only supports what's listed here,

Sign in—ArcGIS Online Help | ArcGIS 

Hope this helps,

LeeBrannon1
New Contributor III

Very helpful thread!  Although, I am still a bit confused about the existence of single sign-on (SSO) for ArcGIS Online organizations using enterprise logins from Windows AD.

The last two replies (Dion and Derek) are sounding like a SSO experience is not available for AGOL, but when I read this:

 IDP-initiated logins
With IDP-initiated logins, members directly access their enterprise's login manager and sign in with their account. When the member submits their account information, the IDP sends the SAML response directly to ArcGIS Online. The member is then signed in and redirected to their organization website where they can immediately access resources without having to sign in to the organization again.

from here Set up enterprise logins—ArcGIS Online Help | ArcGIS 

it sounds like it is available.

I'd love to get some clarification on this from Derek or anyone.  Thanks.

DerekLaw
Esri Community Moderator

Hi Lee,

Sorry for the late reply, I did not see the thread update notice until today.

I can confirm that SSO is available with ArcGIS Online organizations when you configure enterprise logins with your organization. However, the end user would still need to click the "Sign in" link when they initially load the ArcGIS.com web page. They won't need to provide credentials, but they will need to click the link and select the IDP provider.

Hope this helps,

LeeBrannon1
New Contributor III

Ok, thanks Derek for that clarification.  I thought that that was the case when a while back I read something about using Azure AD to configure enterprise logins with ArcGIS Online organizations.  So I think I am getting a better idea of what is involved in order to attain SSO...the many AGOL users here at the City would appreciate it.

HeatherM_JDI
New Contributor III

Hi Derek,


They won't need to provide credentials, but they will need to click the link and select the IDP provider.

If we choose to disable the built-in account option leaving only one IDP provider, does this remove the second click from your description above?

Thanks!

Tags (1)
0 Kudos
DerekLaw
Esri Community Moderator

Hi @HeatherM_JDI

If we choose to disable the built-in account option leaving only one IDP provider, does this remove the second click from your description above? 

I honestly don't know as I have not tested this configuration. Sorry.

0 Kudos
HeatherM_JDI
New Contributor III

@KellyGerrow do you know if this is possible?

0 Kudos