The primary factor you should use to determine how you configure security in yourPortal for ArcGISdeployment is the source of users and, optionally, groups for your portal. This source of users and groups is called your identity store. Users and groups inside or outside your organization are managed through identity storage.
- Understanding identity storage
- Configuring embedded users using portal identity storage
- Configuring enterprise logins using web-tier authentication
- Configuring enterprise logins using SAML
Understanding identity storage
The identity store for your portal defines where your portal account credentials are stored, how authentication is performed, and how group membership is managed. TheArcGIS Enterprisethe portal supports two types of identity storage: built-in and business.
Built-in identity storage
TheArcGIS Enterprisethe portal is pre-configured so you can easily create accounts and groups on your portal. You can useCreate an accountlink on the home page of the portal website toadd an embedded account to your portaland start contributing content to the organization or accessing resources created by other members. You can also click ongroupstab on the home page of the portal website icreate a groupfor item management. When you create accounts and groups in your portal in this way, you take advantage of the built-in identity store, which performs authentication and stores usernames, passwords, roles, and group membership of portal accounts.
You must use the built-in identity store to create the initial administrator account for your portal, but you can later switch to the enterprise identity store. Built-in identity storage is useful for getting your portal up and running, as well as for development and testing. However, production environments typically use enterprise identity storage.
Storage of company identity
TheArcGIS Enterprisethe portal is designed so that you can use business accounts and groups to control access to your ArcGIS organization. For example, you can control access to the portal by using credentials from your Lightweight Directory Access Protocol (LDAP) server, Active Directory server,and identity providers that support Security Markup Language (SAML) 2.0 Web Single Sign On. This process is described throughout the documentation as setting up business applications.
The advantage of this approach is that you do not have to create additional accounts within the portal. Members use a login that is already set up within the enterprise identity store. Account credential management is completely outside the portal. This allows for a single sign-in experience so users won't have to re-enter their credentials.
Similarly, you can alsocreate groupson a portal that leverages existing enterprise groups in your identity store. Also, company accounts can be added in bulk from groups of companies in your organization. When members log into the portal, access to content, items and data is controlled by the membership rules defined in the company group. Group membership management is completely outside the portal.
For example, the recommended practice is todisable anonymous accessto your portal, connect your portal with the desired groups of companies in your organization andadd business accountsbased on those groups. In this way, you restrict access to the portal based on specific groups of companies within your organization.
Use an enterprise identity store if your organization wants to set policies for password expiration and complexity, control access using existing enterprise groups, or leverage authentication overIntegrated Windows Authentication (IWA)or Public Key Infrastructure (PKI). Authentication can be managed at the web level (using web-tier authentication), at the portal level (using portal level authentication), or through an external identity provider (using SAML).
Supports multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with embedded and managed accounts across multiple SAML-compliant identity providers that are configured to trust each other. This is a good way to manage users who may reside inside or outside your organization. For full details, seeConfiguring a SAML compliant identity provider with your portal.
Configuring built-in users and groups using portal identity storage
No steps are required to configure the portal when using built-in users and groups; the portal is ready for embedded users and groups immediately after installing the software. If you are a business user, see the following sections and related links for more information.
Configuring enterprise logins
The following enterprise identity providers can be configured with the portal. Authentication can be managed at the web level (using the ArcGIS Web Adaptor) or at the portal level.
If your portal runs on a Windows server and you have Windows Active Directory configured, you can useIntegrated Windows authenticationto connect to your portal. This enables automatic or single sign-on for portal users via web-tier authentication. To use Windows authentication, your web adapter must be set to Microsoft's IIS web server.
If you have an LDAP directory, you can use it withArcGIS Enterpriseportal. SeeUsing your portal with LDAP and web-tier authenticationfor more information. If you want to use LDAP, deploy your Web Adapter to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic.
If your organization has a PKI, you can use certificates to authenticate communication with your portal using HTTPS.When authenticating a user, you have the option to useWindows Active DirectoryorLightweight Directory Access Protocol (LDAP). To use Windows authentication, your web adapter must be set to Microsoft's IIS web server. To use LDAP, your web adapter must be deployed on a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic.It is not possible to enable anonymous access to your portal when using PKI.
Portal level authentication
If you want to allow access to your portal using both enterprise and embedded identity stores without using SAML, you can use portal-level authentication.This is done by configuring the portal with yoursActive DirectoryorLDAPidentity store, then enabling anonymous access in IIS or your Java application server.When a user accesses the portal login page, they will be able to login using their enterprise credentials or embedded credentials. Enterprise users will need to enter their account credentials each time they log into the portal; automatic or one-time login will not be available. This type of authentication also allows anonymous users to access maps or other portal resources that are shared with everyone.
When you use portal-level authentication, members in your enterprise will log in using the following syntax:
- If you are using a portal with your Active Directory, the syntax can bedomain\usernameorusername@domain. Regardless of how the member logs in, the username is always displayed asusername@domainon the portal website.
- If you are using a portal with LDAP, the syntax is alwaysusername. The portal website also displays the bill in this format.
Configuring enterprise logins using SAML
TheArcGIS Enterprisethe portal supports all SAML-compliant identity providers. The following guides show how to configure certain common SAML-compliant identity providers with the portal. For more information seeConfiguring a SAML compliant identity provider with your portal.
- Active Directory Federation Services (AD FS) 2.0 and later versions
- NetIQ Access Manager 3.2 and later versions
- OpenAM 10.1.0 and later versions
- Shibboleth 2.3.8 and later versions
- SimpleSAMLphp 1.10 and later
Account Lockout Policy
Software systems often implement account lockout policies to protect against mass automated attempts to guess user passwords. If a user makes a certain number of failed login attempts within a certain time interval, they may be denied further attempts for a certain period of time. These policies are balanced with the reality that users will sometimes forget their usernames and passwords and fail to log in successfully.
The locking policy enforced by Portal for ArcGIS depends on the type of identity storage you are using:
Built-in identity storage
Built-in identity storage locks the user out after ten consecutive invalid attempts. The shutdown lasts for ten minutes. This policy applies to all identity storage accounts, includinginitial administrator account. This policy cannot be modified or replaced.
Storage of company identity
When you use an enterprise identity store, the account lockout policy is inherited from the store. You may be able to modify your store account lockout policy. Consult your store type-specific documentation to learn how to change your account lockout policy.
Track failed login attempts
You can track failed login attempts by viewing portal logsPortal directory. Any failed attempts result in a warning-level message stating that the user failed to login due to an invalid username or password combination. If the user exceeds the maximum number of login attempts, a serious message is logged stating that the account is locked. Monitoring portal logs for failed login attempts can help you understand if there is a potential password attack on your system.
For more information seeWorking with portal logs.
Feedback on this topic?