Federate an ArcGIS Server site with your portal
Federating an ArcGIS Server site with your portal is an advanced configuration for integrating the security and sharing models of your portal with one or more ArcGIS Server sites. Federation is optional unless you want to do the following:
- Configure your site with a Security Assertion Markup Language (SAML)identity provider.
- Host tile layers, feature layers, and scene layers published by members of the portal.
When you add a server to your portal in this manner, it is said that you are federating the server with the portal. A server that has been added to your portal is a federated server.
When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign-on experience, but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Before federating, review the information in Administer a federated server to learn more about how federating will impact your existing site.
When you federate, existing ArcGIS Server services are automatically shared as portal items. These items are owned by the administrator who performs federation. After federation, ownership can be reassigned to existing portal members as desired. Any subsequent items you publish to the server are automatically shared on the portal.
After federating, you can optionally designate a single server site to host cached maps, feature services, and scene services (tile layers, feature layers, and scene layers) published by members of the portal. This is referred to as configuring a hosting server for your portal.
If the server you want to federate uses web-tier authentication, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before federating it with the portal. Although it may sound counterintuitive, this is necessary so your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required. You can continue with the steps below.
If you'll be using your organization's reverse proxy server with Portal for ArcGIS, you'll need to add your portal to the reverse proxy server before performing the steps below. For full instructions, see Using a reverse proxy server with Portal for ArcGIS.
The following steps explain how to federate an ArcGIS Server site with your portal:
- By default, ArcGIS Server is configured to communicate using HTTP only. Conversely, Portal for ArcGIS uses HTTP and HTTPS for communication by default. Because some communication between the portal and the server needs to be encrypted, you must update your ArcGIS Server site to communicate through HTTPS. You can force HTTPS for all calls (HTTPS only) or allow the server to use either protocol (HTTP and HTTPS). The protocol chosen does not have to match that of the portal, except in the following scenarios:
- If you require HTTPS for all communication in your organization, you must configure ArcGIS Server and Portal for ArcGIS to communicate using HTTPS only.
- If you will be configuring the server as your portal's hosting server, the communication protocol chosen should match that of your portal. For example, if your portal is HTTPS-only, then the hosting server should be configured as HTTPS-only. If the portal supports HTTP and HTTPS, then the server protocol should be configured as HTTP and HTTPS.
For full instructions on changing the ArcGIS Server communication protocol, see the steps below:
- Open the ArcGIS Server Administrator Directory and log in as a user who has administrative permissions. The Administrator Directory URL will be formatted http://gisserver.domain.com:6080/arcgis/admin.
- Click security > config > update.
- On the Operation - update page, select one of the following from the Protocol drop-down list:
- If you require SSL for all communication in your organization, select HTTPS only.
- If you use Integrated Windows Authentication with your portal, you must select HTTPS only.
- If you do not require Secure Sockets Layer (SSL) for all communication in your organization or Integrated Windows Authentication, select HTTP and HTTPS.
- Click Update.
Your ArcGIS Server site is restarted. You'll need to wait for it to restart completely before proceeding.
- Log out of the Administrator Directory.
It takes ArcGIS Web Adaptor approximately one minute to recognize changes to the communication protocol of your site.
At 10.2.1 and earlier versions, you were required to reconfigure ArcGIS Web Adaptor after updating the communication protocol of ArcGIS Server. At 10.2.2 and later versions, this is no longer necessary.
- Sign in to the Portal for ArcGIS website as an administrator and browse to My Organization > Edit Settings > Servers.
In this step, you must connect to the website through the Web Adaptor URL (such as https://webadaptor.domain.com/arcgis/home). Do not use the internal URL on port 7443.
- Click Add Server.
- Provide the following information:
- Services URL—The URL used by external users when accessing the ArcGIS Server site. If the site includes the Web Adaptor, the URL includes the Web Adaptor address, for example, http://webadaptor.domain.com/arcgis. If you've added ArcGIS Server to your organization's reverse proxy server, the URL is the reverse proxy server address (for example, http://reverseproxy.domain.com/myorg). If your organization requires SSL for all communication, use https instead of http.
- Administration URL—The URL used for accessing ArcGIS Server when performing administrative operations on the internal network, for example, http://gisserver.domain.com:6080/arcgis. If your organization requires SSL for all communication (such as when using Integrated Windows Authentication), use https://gisserver.domain.com:6443/arcgis.
- Username—The name of the primary site administrator account that was used to initially log in to Manager and administer ArcGIS Server. If this account is disabled, you'll need to reenable it.
- Password—The password of the primary site administrator account.
- Click Add.
- Click Save to save the federated server settings.
Now that your server is federated with the portal, you'll use a URL such as https://gisserver.domain.com:6443/arcgis/manager to log in to ArcGIS Server Manager. If the site includes multiple GIS servers, this will be the URL of the machine you specified for the Administration URL. You'll be required to supply the name and password of a portal account. There are various other differences you'll encounter when working with a federated server that you can read about in Administering a federated server.
After federating your server with the portal, you may also want to do the following:
Configure one of your federated servers as a hosting server—This allows your portal users to publish services to the portal. They can do this from the portal website or the My Hosted Services node in the Catalog tree in ArcMap.
When you specify a hosting server for your portal, the hosting server's print service is automatically configured with the portal. You'll only need to start and share the print service to use it in the portal. However, if you've previously configured a print service with your portal, the URL is not updated when specifying a hosting server. You'll need to start the service, share the service, and then configure it as a utility service. To learn more, see Configuring utility services.
Disable the primary site administrator account—This is not necessary for all sites, but it can provide an extra measure of security by forcing all users to use portal accounts and tokens.