All-In-One Solution Options For Identity Management by Doug Carroll

3354
0
08-28-2015 06:42 PM
DougCarroll
Esri Contributor
1 0 3,354

Recently we delivered a developer webinar on the foundational topic of Identity Management. The ArcGIS platform offers a range of Identity Management options, which is a key differentiator and benefit of developing your apps with Esri.

Background

There are two major forms of OAuth (enabling user authentication and app authentication). The delivery of this will vary depending on if you're working with a server-client, browser client, or mobile client and if you are using any one of the seven ArcGIS developer products.  If you have adopted ArcGIS developer products each will include native support for OAuth and the other Identity Management patterns discussed in this blog.

The goal of this webinar was to:

  • Elaborate on the Identity Management options for ArcGIS
  • Highlight the business strategies supporting identity management (see next section)
  • Demonstrate the technical strategies behind managing users (OAuth and Enterprise Logins) within custom-built SaaS and OEM’d applications, delivering as smooth of a login experience as possible.

To recap, some of the business strategies to think about are:

  • Offer the right Identity Management option(s) to fit your market
  • Reduce variable costs associated with Geocoding, Routing, Demographic, Elevation and Spatial Analysis service usage by offloading API credit consumption from your app to ArcGIS users
  • Minimize responsibilities and risks involving password management
  • Access ArcGIS user profile information and their unique content to power your apps
  • Simplifying app development using classes and methods from Esri’s APIs/SDKs
  • Gain sellable value adds when contributing back to ArcGIS making it possible to use apps like Collector, Ops Dashboard, ArcGIS Pro and ArcGIS for Desktop

Technical Overview

The key behind implementing a technical strategy largely depends on understanding your own identity management capabilities and more importantly understanding the specific needs of customers.   A quick review of the landscape, you’ll see there’s no single solution for managing identity, which is why the ArcGIS platform supports so many industry standards in this area – such as OAuth, LDAP, SAML, IWA, PKI and other web tier protocols built into web servers.

As we mentioned in our webinar, when planning a mash-up with another SaaS provider you will spend a fair amount of time thinking about how to deliver on a single sign-on (or near single sign-on) experience. Specifically, an experience that ties together your Identity Management features with ArcGIS user accounts.  The good news is there are ways to do this.  When choosing a pattern such as Enterprise Logins, much of that heavy lifting is already done, especially if you have chosen an ArcGIS developer product.  It is also possible to achieve much the same using OAuth.

You will find many large organizations using the following enterprise login patterns:

Enterprise Logins

Identity Management Pattern

Included Inside

Help Links

LDAP

On-premises

http://server.arcgis.com/en/portal/latest/administer/windows/use-your-portal-with-ldap-and-web-tier-...

IWA

On-premises / Cloud *

http://server.arcgis.com/en/portal/latest/administer/windows/use-integrated-windows-authentication-w...

SAML

On-premises /

Cloud

http://server.arcgis.com/en/portal/latest/administer/windows/configuring-a-saml-compliant-identity-p...

 

https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm

PKI

On-premises

http://server.arcgis.com/en/portal/latest/administer/windows/use-ldap-and-pki-to-secure-access-to-yo...

 

To prototype any of the above enterprise logins you will need to deploy ArcGIS software such as Portal for ArcGIS and the ArcGIS Web Adaptor, and set up the relevant configurations with non-Esri technology. For example, turn on Integrated Windows authentication inside Microsoft IIS or LDAP inside TomCat and stage a development environment.  Choosing SAML involves setting up a SAML server or connecting to an existing provider.   In cases where the Identity Management pattern is part of ArcGIS Online, setup involves fewer steps.

The table above includes links explaining implementation.  In addition, I find it helpful to refer to the product install guides to assist with setup efforts. http://server.arcgis.com/en/documentation/install/

OAuth

Alternatively, you may want to support OAuth.  OAuth comes built into ArcGIS and includes a pattern that enables applications to connect to premium mapping, analysis and data services directly via the app. Additionally, OAuth exposes a pattern, which allows ArcGIS users to connect to their accounts.  From a small business to a large business perspective, enabling customers to connect to their accounts in this fashion has a way of offsetting operational costs by offloading API credit consumption from your app to the user.

Lastly, since I like blogs with some code in them, here is a sample web application showing how to connect two SaaS accounts together. Once a connection is made between ArcGIS and your SaaS, every time your customer signs into their account they would be automatically signed into ArcGIS.

It's important to note that the application code sample below implements the OAuth server pattern inside a web-based PHP and JavaScript application.

Code Samples: https://github.com/phpmaps/ouath-server-pattern-with-arcgis/blob/master/server-pattern-oauth/index.p...

About the Author
I like things having to do with GIS. My greatest challenge in life in making sure I am being a great dad and being able to deliver what people want with software.