Issues with Credentials and Collaborations

845
12
01-21-2021 07:16 AM
Vidar
by
Occasional Contributor

Hi

Here is the scenario (I have written it as a basic story just to make it easier to envisage the problem):

We have some content stored in our company AGOL account (lets call this company Blue Company Ltd) , in a group with permissions given to it with the following credentials:

  • FooUser 
  • FooSecretPassword

Another company (called Red Company Ltd) - would really like to see this data in Blue Company's AGOL via their Enterprise Portal by using a collaboration. Both companies agree the collaboration and everything is sweet.

Blue Company also says, use this add-in to add our data in from our AGOL, it's got lots of nice tools to allow you to search for data and other exciting things.

A user in Red Company, called Billy, opens Pro and signs into Red Company enterprise portal, he also uses the add-in provided by Blue Company - he can see the data that is shared by Blue Company in the add-in and he tries to add it to the map.

😡Now Billy is mad, because when he tries to add the data, it prompts him for credentials for AGOL that only Blue Company knows about and they forgot to tell him and they didn't realise that they missed out that whole bit of functionality anyway! How embarrassing!

Billy complains to Blue Company about this  and the developers frantically try to find in a solution to Billy's problem.

....so there are 2 main questions:

1. In the Pro SDK can you code in the credentials before you try to add data into the map (from a group in AGOL which is shared in a collaboration)? This would be nice, in order to save the user having to remember the credentials every time they want to add data/use the add-in, especially if its been a while between sessions (I appreciate there is some long lived token here or something).

2. The credentials that you are prompted for are stored in Pro somewhere, in a token or cookie or something, and I have no idea how to reset that.  I would like to test my code as if the user has used the add-in for the first time and is trying to add data also for the first time.  How can I do this?

 

Code example 

The following is where I envisage any credential info going (perhaps?) when I try to add data from portal:

public static async Task AddLayer(string layerId)
{
    FeatureLayer featureLayer = null; Item testLayer = ItemFactory.Instance.Create(layerId, ItemFactory.ItemType.PortalItem);
await QueuedTask.Run(() =>{
    if (LayerFactory.Instance.CanCreateLayerFrom(testLayer))
    {
        featureLayer = LayerFactory.Instance.CreateLayer(testLayer, MapView.Active.Map, 0) as FeatureLayer; }
    else
    {
         log.Error($"Failed to add layer {layerId}");
    }
});

return featureLayer;

}
12 Replies
RichRuh
Esri Regular Contributor

The Pro SDK includes a class called ArcGISPortalManager.  It's a singleton, and you can use it to get the list of portals, and the active portal.  From ArcGISPortal you can find out if you signed in, sign in, sign out, etc.

 

0 Kudos
Vidar
by
Occasional Contributor

The subtle thing here is: Red Company is already logged in to Red Company's Enterprise Portal - they want to stay logged in here, they don't want to explicitly log into Blue Company's AGOL Portal (they need to see all Red Company's assets and see the collaboration assets via Blue Company) - but Pro forces the user to key in the credentials for that Online Portal if they want to actually add the data into the map (a little dialog window appears asking for credentials). This is not a good UX. 

I need this to be a slick single sign on  process - i.e so the user doesn't have to remember credentials for Blue Company but can stay logged into their active Enterprise Portal at all times i.e. no switching of active portals.

0 Kudos
RichRuh
Esri Regular Contributor

Are you asking for a way to hardcode credentials into an application?

0 Kudos
Vidar
by
Occasional Contributor

Only when the user is trying to add data from a collaboration - as Pro will prompt the user for credentials - which is what we don't want.

0 Kudos
Vidar
by
Occasional Contributor

ahhh, I think I know what you're getting at now.

I have remembered that you can be logged into your Enterprise Portal AND it be your active Portal. Also you can be signed into another Portal (not active portal though) and this will be the ArcGIS Online Portal (www.arcgis.com). I think if I can, in code, detect the user is logged in as Enterprise and maintain it as the active portal, has a collaboration and then can sign into ArcGIS Online (hard-coded, not great but it's the best I can do at the moment) then that should work. This will allow the user to work in a way where they don't need to manually login to AGOL.

0 Kudos
RichRuh
Esri Regular Contributor

Yes, you can be logged into multiple enterprise portals as well.

Hard-coding credentials into an add-in is never a good idea from a security perspective.  Anyone with a copy of the add-in can use it to access that portal, or even decompile the .NET code and just read the credentials from that. An employee from Red Company can email the add-in or put in on a thumb drive, walk out of the building, and take it to a competitor of Blue Company. 

If you really don't want Red Company's employees having accounts on Blue Company's portal, you should get the IT groups from Red and Blue Company to figure out how to federate security between them.  Unfortunately, how to do that is well outside my area of expertise.

Vidar
by
Occasional Contributor

Yeh, I'm not going to hard code - I'll put it in a setting thats user configurable - the credentials can always be changed or revoked on our side.

0 Kudos
Vidar
by
Occasional Contributor

Out of interest (and necessity) is there a way to sign in to a Portal with specific user credentials i.e. a username and password via the SDK?

0 Kudos
RichRuh
Esri Regular Contributor

It doesn't look like we do.

0 Kudos