AnsweredAssumed Answered

Credential timeout in IdentityManager

Question asked by vandervoort on Apr 25, 2016

We are using ADFS to secure our portal - which is a non-ArcGIS web application. ADFS is the security store for ArcGIS Server and Portal.

 

When the portal get loaded into the browser, it creates two cookies:

  • MYagstoken: <cryptic_string_token>
  • MYagsdetailsCookie: {"userId”:”myusername@mydomain.com”,”expires":1461627081574,"creationTime":1461623481574}

 

I have verified that the content of MYagstoken is a valid token that I can use to consume secure resources. The token times out in 60 minutes.

 

I am using the ArcGIS Resource Proxy from github to identify the CORS resource but not to obscure a username/password. In other words: username/password is not allowed in the proxy.config and it is the person who logged in to the portal (non-ArcGIS web application) who has obtained the token from the AGS token dispenser via the cookies.

 

We are NOT using the default login UI for IdentityManager. Our identities are created “elsewhere” and are stashed in the cookies.

 

When our JSAPI application gets loaded into the browser it uses the cookies create an object that is used to initiate the IdentifyManager (esriId).

 

var MYagsdetails = JSON.parse(MYagsdetailsCookie);
var userId = MYagsdetails.userId;
var expires = MYagsdetails.expires;
var creationTime = MYagsdetails.creationTime;
var serverInfo = {
  
server: "https://webadaptor.MyDomain.com/portal",
  
tokenServiceUrl: "https://webadaptor.MyDomain.com/portal/sharing/generateToken/",
  
hasPortal: true,
  
webTierAuth: false
};

var credential = {
  
userId: userId,
  
server: "http://webadaptor.MyDomain.com/portal",

  token: MYagstoken,
  
expires: expires
  
validity: undefined,
   ssl: true,
  
creationTime: creationTime,
  
scope: "portal"  // ”server" does not work
};

 

var idObject = {
  
serverInfos: [serverInfo],
  
credentials: [credential]
};

esriId.initialize(idObject);

This successfully creates a credential that I can use for 60 minutes. There are a couple of oddities at this point:

  • The following gets executing, indicating that the IdentityManager is successfully creating a credential. It should be noted that the token is a different string, although this token is valid as well.

 

esriId.on("credential-create", function(e) {
  
console.log (Date().toLocaleString() + ' credential-create Credential: ', e.credential);
});

The following event NEVER gets fired, even after the 60 minutes:

esriId.on("dialog-create", function(e) {
console.log (Date().toLocaleString() + ' dialog-create', e);
});

The secured services cease to function inside the map. Pan and zoom and nothing happens. There was rich and dynamic map content for 60 minutes though…

 

There are repeated error of “Invalid Token” indicating that the token never refreshed. It was my understanding that when a credential was created by the IdentityManager.initialize, that a timer was created that refreshed the token when it’s timed out.

 

The bottom line is that there is no indication that the security has expired (dialog-create) or that a new credential is created (credential-create). FAIL.

 

I’d like to do either one of two things:

  • Institutional: Inform the user that their security has timed out and that they need to launch the map app again from the portal. This is the “not preferred by acceptable” alternative
  • Technological: Refresh the IdentityManager credential with a new token that will give me another 60 minutes. This is the preferred option. So long as the portal application can create the the cookies (soon to be local storage).

 

One other item: I’ve attempted to use a timer to recreate the IdentityManager credential using the code above and the cookies generated by the portal, but without success. For reasons I don’t understand, I’m just not able to rehydrate the IdentityManager so my users can continue working in the map application.

 

Hope you can help... TIA

Outcomes