AnsweredAssumed Answered

Advice on Authenticating Domain Users (via ADFS) Against Secure Services

Question asked by aschafer@cityutil.com on May 6, 2016

Hello Community -

 

I am looking for some guidance on how to approach authenticating active directory domain users against a secure ArcGIS Server map service.  Knowing there are several approaches, please note the following:

 

 

  • The application needing to consume the secure ArcGIS Server service is a custom developed web application using the ArcGIS Javascript API (v3.16).
  • The ArcGIS Server (v10.4) hosting the service is federated to ArcGIS Portal (v10.4).The Portal itself authenticates users via ADFS via the "Enterprise Logins via SAML identity provider.
  • Being federated, ArcGIS Server now "defers" security to the Portal - and I think THAT is what is making this challenging, if not impossible.
  • Consequently, the service itself will only allow access to either everyone (Public) or defined Portal members (via a Portal group). Correct?  The members of that particular Portal group are defined via an AD Group.

 

 

Ideally, I would like to expose the secure service to members of that AD Group WITHOUT defining them as Portal members.  The service existed before the Portal and it has not been added as a Layer in the Portal.  I just want to use the service, but Portal seems to get in the way!

 

Additionally, if we did want to make the service available to a Portal user, we want to make sure they are not presented with a second login prompt when they access feature layers exposed in the Portal if they have already authenticated via ADFS.

 

Can I even do this with ArcGIS Server federated to the Portal ??  Or do I have to drop the federation?

Some of the approaches tried thus far:

 

Oauth2.0 via the Javascript API

I tried the approach mentioned here:

http://www.mymanatee.org/arcgis_js_api/sdk/jssamples/portal_oauth_inline.html

 

Using this method, I was prompted to log into the Portal in order to access the secured services.

 

 

App login approach

I followed the approach mentioned here:

https://developers.arcgis.com/authentication/accessing-arcgis-online-services/

 

Based on this, I was able to get a token, however the token did not appear to work on secured services.  It would return "Invalid token" as a dojo script error when the ArcGISDynamicMapServiceLayer was called in the ArcGIS JavaScript API.

Looking at what is posted below, it does not appear that secured services can use this method.

https://developers.arcgis.com/authentication/limitations-of-application-authentication/

 

Named user approach

Post to -[portal_url]/arcgissrv/tokens/generateToken

In the POST we supplied the following information:

f: "json"

username: [username]

password: [password]

client: "referrer"

referrer: [custom app URL]

 

When we used a portal account we would get back a token response:

{"token":"5dvEdVwMi4a3LpKfW-02ofyg8fi5bStGiO0tP-S7BlYut3gjMFbdC8TRJnTFS88v","expires":1462567122484}

 

When we used a domain (AD) account without having a portal account set up we received the message:

 

{"error":{"code":401,"message":"You are not authorized to access this information","details":"Invalid credentials"}}

Outcomes