Portal Token

DanMallett · ‎11-06-2015

When I try to login to GeoEvent Manager I am always prompted with a window saying "To acquire a portal token, open this link and enter <geoevent manager url> for the "Webapp URL" parameter."

Although I can log in with the token why is this necessary? Why isn't this single-sign on as with AGS?

I'm using 10.3.1 GeoEvent, AGS, and Portal. AGS is federated with Portal and Portal is using Windows AD logins.

Related to this issue (I think) is that any Stream Services I create can only be viewed if shared with "Everyone" in Portal, even though I've created the service with my Windows user, and in Portal it shows the stream service under "My Content".

Thanks!

RJSunderman · ‎04-05-2016

Daniel -

For the 10.3.1 release we tried incorporating a library to improve the user's sign-in experience but discovered a rather severe security vulnerability and had to revert (remove) the code changes. We improved single-sign-on experience for the 10.4 product release.

To provide you a little bit of background, GeoEvent requires anonymous access to two different REST endpoints in order to coordinate authentication with Portal when Portal has been federated with ArcGIS Server and authentication is passing through the web-tier (e.g. Basic Authentication or IWA).

https://localhost:6443/arcgis/rest/info (alternatively http://localhost:6080/arcgis/rest/info)
- Provides ArcGIS Server Authentication Information
https://portal-server-hostname/arcgis/sharing/generateToken
- Portal’s token generation page

At 10.3 / 10.3.1 ... if GeoEvent cannot access these endpoints its failover behavior is to prompt the user to acquire and provide a token in order to log-in to the GeoEvent Manager.

I think the 10.4 / 10.4.1 login experience, when federated with Portal, will be more in-line with what you expect. There is one known issue that is currently deferred to 10.5 -- after federating with Portal and completing the configuration of your SSL certificates you often have to restart the GeoEvent Windows service twice (2x) in order to get it to recognize the new security topology.

Hope this information is helpful -

RJ

VentsislavStanchev · ‎06-21-2016

hello , the problem is same and in 10.4.

Geoevent 10.4.1 with federated ArcGIS Server with portal and Active Directory integration login.

example: when create simple output in geoevent processor that using feature server ( from secured service in federated gis server).

in this situation in geoevent processor in data stores we registered the gis server via non ssl with 6080, via ssl with 6443 , via web adaptor without ssl and via web adaptor with ssl.

same situation in all tests, token expiring and not get new, then the output is down and not write nothing.

We make and another test with GitHub - Esri/geoevent-datastore-proxy: Proxy that handles tokens for versions of ArcGIS GeoEvent Pr... but same results, may be this way make working more long time but in few days( 3-4) again cannot get token.

this problem have workaround now for 10.4?