You can secure access to your portal using Lightweight Directory Access Protocol (LDAP). When you use LDAP, logins are managed through your organization's LDAP server. Once you've updated your portal's identity store for LDAP, you can configure authentication at the portal tier.
Configure the portal to use HTTPS for all communication
By default, Portal for ArcGIS enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you must reconfigure the portal to use HTTPS-only communication by following the steps below:
- Sign in to the portal website as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- On the Organization page, click the Settings tab, then click Security.
- Check Allow access to the portal through HTTPS only.
- Click Save to apply your changes.
Update your portal's identity store
Next, update your portal's identity store to use LDAP users and groups.
Update your portal's identity store using LDAP
- Sign in to the ArcGIS Portal Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Config > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "userFullnameAttribute": "cn", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com", "userEmailAttribute": "mail", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "uid" } }
In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://myLdapServer:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- If you want to create groups in the portal that use the existing enterprise groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com", "ldapURLForRoles": "ldaps://myLdapServer:10636/dc=example,dc=com", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "uid", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" } }
In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- Click Update Configuration to save your changes.
Optionally configure additional identity store parameters
There are additional identity store configuration parameters that can be modified using the ArcGIS Portal Directory administration API. These parameters include options such as restricting whether groups are refreshed automatically when an enterprise user signs in to the portal, setting the membership refresh interval, and defining whether to check for multiple user name formats. See Update Identity Store for details.
Configure portal-tier authentication
Once you've configured the portal with your LDAP identity store, you'll need to enable anonymous access through your web adaptor in your Java application server. When a user accesses the portal sign-in page, they can log in using either enterprise credentials or built-in credentials. Enterprise users will be required to enter their account credentials each time they log in to the portal; automatic or single-sign on will not be available. This type of authentication also allows anonymous users access to maps or other portal resources that are shared with everyone.
Verify you can access the portal using credentials
- Open the portal website. The URL is in the format: https://webadaptorhost.domain.com/webadaptorname/home.
- Sign in using your enterprise account credentials (example syntax below).
When using portal-tier authentication, members in your enterprise will log in using the following syntax:
- If using the portal with LDAP, the syntax is always username. The portal website also displays the account in this format.
Add enterprise accounts to your portal
By default, enterprise users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the enterprise accounts have not been added to the portal and granted access privileges.
Add accounts to your portal using one of the following methods:
- Portal for ArcGIS website (one at a time, in bulk from a CSV file, or from existing enterprise groups)
- Python script
- Command line utility
- Automatically
It's recommended that you designate at least one enterprise account as an administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added, users can sign in to the organization and access content.