Tag Archives: Portal for ArcGIS

Working with Portal for ArcGIS authentication: Enterprise groups, the Portal Administrator Directory, and SAML

A brief background

When managing authentication with your chosen identity store in Portal for ArcGIS, authentication can be configured at the Portal tier, the Web tier, or the External tier. The primary differences from a user experience perspective being Portal tier requires credentials to be provided to sign in and it does not support a Single Sign On (SSO) experience. Web tier can be configured to utilise the ArcGIS Web Adaptor, Microsoft Internet Information Services (IIS), and Integrated Windows Authentication (IWA) for a SSO user experience.

If using an enterprise identity store with Portal tier authentication, by its nature it requires a closer integration with your Microsoft Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) compatible identity store. When a user enters their credentials to the Portal for ArcGIS sign in page, the credentials are passed to the portal application which then handles the process of authenticating the credentials with the configured enterprise identity store before signing them in.

If using an enterprise identity store with Web tier authentication, the ArcGIS Web Adaptor and IIS configured with IWA enabled handle the authentication of credentials rather than the portal application, enabling a SSO experience. It can also be configured with the Java ArcGIS Web Adaptor and LDAP, for utilisation in a Linux environment for example.

Becoming a popular option, Portal for ArcGIS supports integration with identity providers compatible with Security Assertion Markup Language (SAML) 2.0 authentication, a form of external tier authentication method. Similar to web tier, authentication is handled on a web server but usually an external web server to the ArcGIS Enterprise deployment. Common scenarios include the utilisation of external identity providers such as Microsoft Azure Active Directory, Microsoft Active Directory Federation Services (ADFS), Okta, and others. Comparative user experiences would include utilising a Google, Facebook, Apple, or GitHub account to sign in and access other websites or services such as ArcGIS Online.

SAML is becoming a popular and prevalent security setting for Portal for ArcGIS due to the various security benefits, enabling a seamless Single Sign On (SSO) experience, and the ability to support multiple identity providers (both built-in and enterprise accounts).

Implications of SAML on the Portal Administrator Directory

Let us assume we have set up our Portal for ArcGIS with SAML authentication to an external identity provider. We have our enterprise users and groups configured as per Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for ArcGIS Enterprise. Now we are looking at how we can interact with our enterprise users and groups through the Portal Administrator Directory endpoint. However, attempting to utilise the “Get Enterprise Groups for Users” operation through <portalurl>/webadaptor/portaladmin /security/groups returns error code 500: ” An enterprise group may not have been configured or we were unable to connect to it. Please check the logs for more information.”

We also attempt to use a Python script to automate the process of adding SAML users to portal, we are using an administrator account but the Generate Token request to the ArcGIS REST API still returns a 400 error! What could be the reason for all these errors?

Why? Simply, this is expected behaviour by external tier authentication.

When we configure SAML authentication with our enterprise identity provider, login requests to portal are redirected to the external identity provider via SAML. Upon successful login the SAML response is used by Portal for ArcGIS as authorised and trusted credentials to sign in. The external identity provider cannot be integrated via SAML as the Portal for ArcGIS user store and group store configurations.

The “Get Enterprise Groups for Users” and “Get Users Within Enterprise Group” only operate on configured user and group store configurations. These back-end operations only work with portal tier and web tier authentication scenarios. It does not currently support external tier authentication configuration such as SAML.

The following conceptual workflow demonstrates how the login requests are managed between Portal for ArcGIS and SAML (Step 2).

Ref: ArcGIS Server and Portal for ArcGIS: An Introduction to Security (esri.com)

If we explore our Portal for ArcGIS security configuration through <portal url>/webadaptor/portaladmin/security/config we will see the group store configuration in our Portal for ArcGIS identity store are still set to “BUILTIN” type even though we have set up SAML enterprise logins.  Basically, Portal for ArcGIS defers users to the SAML identity provider and trusts the assertion provided on behalf of the user. Rather than the username / login being handled by the Portal for ArcGIS built-in identity store, it is handled by the SAML identity provider.

Groups and Users operation on the Portal Administrator Directory endpoint are designed to interact with enterprise authentication at the web tier and portal tier, where we need to update our Portal for ArcGIS identity store with LDAP or AD users and groups. With this configuration, we will need to update group store configuration directly, using the JSON text mentioned in the following link: Use your portal with LDAP or Active Directory and portal-tier authentication—Portal for ArcGIS | Documentation for ArcGIS Enterprise.

In this scenario our Portal for ArcGIS uses the Microsoft Windows AD as its group store identity. Therefore, the “Get Enterprise Groups for Users” and “Get Users Within Enterprise Group” operations will return a valid response. Step 4 on the following picture demonstrates conceptually how Portal for ArcGIS accesses AD or LDAP identity stores to authenticate the login requests.

Authors: Razi Mosadeghi and Gregory Hibbett

Reference and Relevant resources:

Portal authentication configuration—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Configure a SAML-compliant identity provider with a portal—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Create groups—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Use your portal with LDAP or Active Directory and portal-tier authentication—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Configure Azure Active Directory—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Tutorial: Azure Active Directory integration with ArcGIS Enterprise | Microsoft Docs

Does Portal inherit AD configured membership groups and will users be added to these groups upon login to Portal with their Enterprise Login? | Esri Australia Technical Blog (wordpress.com)

Does Portal inherit AD configured membership groups and will users be added to these groups upon login to Portal with their Enterprise Login?

Portal for ArcGIS may be configured for Enterprise logins (eg SAML/Active Directory).   An organisation may require their Portal content to be managed based on Active Directory Group membership.  The below answers the question “Does Portal automatically create groups to match Active Directory Groups and will users automatically be added to these groups when first logging in to Portal using their Enterprise Logins?”

The answer is yes, we simply need to configure portal groups and bind them to  the active directory group using the below steps.

Does Portal inherit Active Directory Configured Membership groups?
Portal for ArcGIS does not automatically create groups to match what is available in Active Directory.  The GIS Administrator will need to create and configure groups in Portal for ArcGIS for each of the Active Directory Groups that they want to allow membership of.
How to configure Portal to enable Enterprise Group Membership

User will need to Manually create the Portal Groups then bind them to the Active Directory Group

First, configure the organisation  SAML settings to enable SAML based Group Membership. This may be done via Organisations > Settings > Security >  Logins > Configure > Advanced Settings

You will then have the ability to create Portal groups with the setting “Enable SAML based group membership”

Here is where you will need to configure the enterprise group name.  This name may not be a recognisable name, it may be a group ID or SID.  Members will only be added to the group once they have logged in and if there is a group in the SAML assertion response which matches the enterprise group name.  

Can SAML/Active Directory users be automatically added to configured Enterprise groups when signing into Portal?
Yes.  Once you have configured the Portal Groups and associated them with their respective Active Directory  groups you do not need to manage membership of those groups within Portal.  When a user logs in with  their enterprise account, the groups to which they are members in Active Directory is returned in the SAML response and ArcGIS reflects that by allowing the user membership to the matching groups you have defined. 

Relevant resources

Use your portal with LDAP or Active Directory and portal-tier authentication https://enterprise.arcgis.com/en/portal/latest/administer/windows/use-your-portal-with-ldap-and-portal-tier-authentication.htm

Link enterprise groups from an IDP https://enterprise.arcgis.com/en/portal/latest/administer/windows/create-groups.htm#ESRI_SECTION1_5E3FFFAA1B7E443FBB1E483E070B1979

Determining the interdependencies of items in Portal for ArcGIS

With almost any Portal there comes a time when you have dozens of items, created over time by different people, and you may be looking to perform a bit of a clean-up.

The problem now arises that you do not know if the Web Map made by a colleague, who since left the organisation, can be deleted or if it is being used by any other items? You might find that deleting an insignificant-looking item brings your organisation’s most-used application down.

Continue reading

How to determine the machine level status of your ArcGIS Enterprise High Availability environment.

Background: GIS administrators are routinely required to do maintenance activities on their ArcGIS Enterprise High Availability setup. Examples of a maintenance activity can be: Installing Microsoft patches or Esri patches, or resizing instances etc. Before the maintenance is initiated, GIS administrators should know the exact status of the ArcGIS Enterprise setup so that a workflow can be finalized (that is, whether the application on the machine is assigned a Primary or a Standby role). If this is not taken into account, the architecture may become unstable. For example, if the Primary is shutdown first and then the Standby is shutdown, and the Standby is fired up and then the Primary, then the two machines may end up in a scenario where there is confusion as to which machine is the Primary machine.

Continue reading

Multi-tier base deployment of ArcGIS Enterprise 10.8.1 using ArcGIS Enterprise Cloud Builder for Microsoft Azure.

ArcGIS Enterprise Cloud Builder for Microsoft Azure is an application you install on your local Microsoft Windows machine to deploy ArcGIS Enterprise and stand-alone ArcGIS Server sites on Microsoft Azure. Depending on what role you want the site to fill, Azure Cloud builder provides several deployment options.

This blog will discuss the workflow of deploying multi-machine ArcGIS Enterprise (non-HA) with each component of base Enterprise deployment – Portal for ArcGIS, ArcGIS GIS Server, Data Store and App Gateway – installed on its own dedicated servers. One thing to note, starting from Azure Cloud Builder 10.8 for Microsoft Azure,  the base ArcGIS Enterprise deployment is no longer accessed through a load balancer and reverse proxy. The 10.8 version of ArcGIS Enterprise Cloud Builder for Microsoft Azure creates ArcGIS Enterprise deployments that use a single Azure Application Gateway to access the portal and all federated servers – this is referred to as a version 2 (V2) deployment type.


Important Portal for ArcGIS Security Alert

4 June 2020

Esri has announced that they have detected a critical security vulnerability in the Portal for ArcGIS component of ArcGIS Enterprise when special steps are taken by persons with network access to the ArcGIS Enterprise portal to exploit Server-Side Request Forgery (SSRF), which can result in access to and control over other infrastructure resources by unauthenticated persons. Continue reading

Spatial analysis for the rest of us

Since May of this year, when I demonstrated a very early version of the new Insights for ArcGIS product at the Directions LIVE events Esri Australia staged around the country, it has been the topic of many conversations I have had – both internally and with customers.

Everyone is keen to understand where Insights fits in to the ArcGIS platform, and where it sits in relation to other similar products in the broader market.

There’s a buzz about this that I haven’t witnessed for some time in Esri circles, and I’ve got to say – it’s infectious. For me personally, Insights, and the GeoAnalytics Server that is also in the pipeline for ArcGIS 10.5, stand to be highlights of my work over the next year or so.

I’d like to share my early thoughts on Insights, and I hope that leaves you curious enough to find out more. Continue reading

A Brief Look at the Query and Search Widget for Web AppBuilder

While delivering Arc 2: Essential Workflows, I was enthusiastically describing the wonders and practical uses of the search widget in the Web App Builder for ArcGIS Online or Portal and the capability it has to search content within your feature layers. When asking my students, “which widget should I use?” Some referred to the functionality of the query widget which I had previously demonstrated, while others preferred the power of a search widget. Hopefully by the end of this post you will be well placed to make an informed decision as to whether you should use and configure a query or search widget for your web apps in ArcGIS Online or Portal.

Continue reading

In search of Doctor Who (travels with ArcGIS server, episode 3)

Last episode galactic federation had stopped with the one server but there is still more to explore in the box.  We have seen our ArcGIS for Server published from and managed by both ArcGIS Desktop and Server Manager in a browser and used from various Portal for ArcGIS clients.  It was noted that we also chose a federated server to act as our portal’s hosting server.

With Space to spare in the box, what Relatively new discoveries And functions can we explore this Time by adding In the extra Dimension of a hosting server?


Continue reading

In search of Doctor Who (travels with ArcGIS server, episode 2)

Last episode we got as far as creating a map service to view a few of the nearby places Doctor Who has been seen but it is now time to find out what galactic federation has taken control of our ArcGIS Server security.

Knowing my server box was a lot bigger on the inside, I decided when Portal for ArcGIS is installed to give its Web Adaptor the name ‘portal’ as I wanted to leave the more familiar ‘arcgis’ application name for the ArcGIS Server which was also installed.


Continue reading