You can secure access to your portal using Lightweight Directory Access Protocol (LDAP) or Windows Active Directory. When you use LDAP, logins are managed through your organization's LDAP server. When you use Windows Active Directory, logins are managed through Microsoft Windows Active Directory. Once you've updated your portal's identity store for either LDAP or Active Directory, you can configure authentication at the portal tier.
Configure the organization to use HTTPS for all communication
By default, ArcGIS Enterprise enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you must reconfigure the organization to use HTTPS-only communication by following the steps below:
- Sign in to the portal website as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- On the Organization page, click the Settings tab, then click Security.
- Check Allow access to the portal through HTTPS only.
- Click Save to apply your changes.
Update your organization's identity store
Next, update your portal's identity store to use either LDAP or Active Directory users and groups.
Update the identity store using LDAP
- Sign in to the Portal Administrator Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Configuration > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "userFullnameAttribute": "cn", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com", "userEmailAttribute": "mail", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "uid" } }
In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would look like this:
"ldapURLForUsers": "ldaps://myLdapServer:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Identity Store (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- To create groups in the portal that use the existing LDAP groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com", "ldapURLForRoles": "ldaps://myLdapServer:10636/dc=example,dc=com", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "uid", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" } }
In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Identity Store (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- Click Update Identity Store to save your changes.
Update the identity store using Active Directory
- Sign in to the Portal Administrator Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Configuration > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's Windows Active Directory user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "userFullnameAttribute": "cn", "userEmailAttribute": "mail", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "caseSensitive": "false" } }
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Identity Store (below). The account you specify for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, specify an account whose password does not expire.
In the rare case in which your Windows Active Directory is configured to be case sensitive, set the caseSensitive parameter to true.
- To create groups in the portal that use the existing Active Directory groups in your identity store, paste your organization's Windows Active Directory group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "WINDOWS", "properties": { "isPasswordEncrypted": "false", "userPassword": "secret", "user": "mydomain\\winaccount" } }
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Identiy Store (below). The account you specify for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, specify an account whose password does not expire.
- Click Update Identity Store to save your changes.
Optionally configure additional identity store parameters
There are additional identity store configuration parameters that can be modified using the Portal Administrator Directory. These parameters include options such as restricting whether groups are refreshed automatically when an organization-specific user signs in to the portal, setting the membership refresh interval, and defining whether to check for multiple user name formats. See Update Identity Store for details.
Configure portal-tier authentication
Once you've configured the portal with your Active Directory or LDAP identity store, you'll need to enable anonymous access through the web adaptor in IIS or your Java application server. When a user accesses the organization sign-in page, they can sign in using either organization-specific credentials or built-in credentials. Organization-specific users will be required to enter their account credentials each time they sign in to the portal; automatic or single-sign on will not be available. This type of authentication also allows anonymous users access to maps or other organization resources that are shared with everyone.
Verify you can access the portal using credentials
- Open the ArcGIS Enterprise portal. The URL is in the format: https://webadaptorhost.domain.com/webadaptorname/home.
- Sign in using your organization-specific account credentials (example syntax below).
When using portal-tier authentication, members will sign in using the following syntax:
- If using the portal with your Active Directory, the syntax can be domain\username or username@domain. Regardless of how the member signs in, the user name always displays as username@domain in the portal website.
- If using the portal with LDAP, the syntax depends on the usernameAtrribute specified in the user store configuration. The portal website also displays the account in this format.
Add organization-specific accounts to your portal
By default, organization-specific users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added to the portal and granted access privileges.
Add accounts to your organization using one of the following methods:
- Individually or in bulk (one at a time, in bulk from a CSV file, or from existing LDAP groups)
- Command line utility
- Automatically
It's recommended that you designate at least one organization-specific account as an administrator of your portal. You can do so by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added, users can sign in to the organization and access content.