Recently we delivered a developer webinar on the foundational topic of Identity Management. The ArcGIS platform offers a range of Identity Management options, which is a key differentiator and benefit of developing your apps with Esri.
Background
There are two major forms of OAuth (enabling user authentication and app authentication). The delivery of this will vary depending on if you're working with a server-client, browser client, or mobile client and if you are using any one of the seven ArcGIS developer products. If you have adopted ArcGIS developer products each will include native support for OAuth and the other Identity Management patterns discussed in this blog.
The goal of this webinar was to:
To recap, some of the business strategies to think about are:
Technical Overview
The key behind implementing a technical strategy largely depends on understanding your own identity management capabilities and more importantly understanding the specific needs of customers. A quick review of the landscape, you’ll see there’s no single solution for managing identity, which is why the ArcGIS platform supports so many industry standards in this area – such as OAuth, LDAP, SAML, IWA, PKI and other web tier protocols built into web servers.
As we mentioned in our webinar, when planning a mash-up with another SaaS provider you will spend a fair amount of time thinking about how to deliver on a single sign-on (or near single sign-on) experience. Specifically, an experience that ties together your Identity Management features with ArcGIS user accounts. The good news is there are ways to do this. When choosing a pattern such as Enterprise Logins, much of that heavy lifting is already done, especially if you have chosen an ArcGIS developer product. It is also possible to achieve much the same using OAuth.
You will find many large organizations using the following enterprise login patterns:
Enterprise Logins
Identity Management Pattern | Included Inside | Help Links |
LDAP | On-premises | |
IWA | On-premises / Cloud * | |
SAML | On-premises / Cloud |
https://doc.arcgis.com/en/arcgis-online/administer/enterprise-logins.htm |
PKI | On-premises |
To prototype any of the above enterprise logins you will need to deploy ArcGIS software such as Portal for ArcGIS and the ArcGIS Web Adaptor, and set up the relevant configurations with non-Esri technology. For example, turn on Integrated Windows authentication inside Microsoft IIS or LDAP inside TomCat and stage a development environment. Choosing SAML involves setting up a SAML server or connecting to an existing provider. In cases where the Identity Management pattern is part of ArcGIS Online, setup involves fewer steps.
The table above includes links explaining implementation. In addition, I find it helpful to refer to the product install guides to assist with setup efforts. http://server.arcgis.com/en/documentation/install/
OAuth
Alternatively, you may want to support OAuth. OAuth comes built into ArcGIS and includes a pattern that enables applications to connect to premium mapping, analysis and data services directly via the app. Additionally, OAuth exposes a pattern, which allows ArcGIS users to connect to their accounts. From a small business to a large business perspective, enabling customers to connect to their accounts in this fashion has a way of offsetting operational costs by offloading API credit consumption from your app to the user.
Lastly, since I like blogs with some code in them, here is a sample web application showing how to connect two SaaS accounts together. Once a connection is made between ArcGIS and your SaaS, every time your customer signs into their account they would be automatically signed into ArcGIS.
It's important to note that the application code sample below implements the OAuth server pattern inside a web-based PHP and JavaScript application.
Code Samples: https://github.com/phpmaps/ouath-server-pattern-with-arcgis/blob/master/server-pattern-oauth/index.p...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.