Skip To Content

Configure security settings

As an administrator of your organization, you determine whether HTTPS is required for all transactions and whether anonymous access is allowed to your portal. You can also configure trusted servers.

  1. Verify that you are signed in as an Administrator of your organization.
  2. Click My Organization at the top of the site and click Edit Settings.
  3. Click Security on the left side of the page.
  4. Configure any of the following security settings:
    • Check Allow access to the organization through HTTPS only.

      HTTPS ensures that your organization's data as well as any temporary identification tokens that allow access to your data are encrypted during communications over the Internet. Turning on HTTPS may affect the performance of the site.

    • Check Allow anonymous access to your organization.

      If left unchecked, anonymous users will not be able to access your organization's website. They will also not be able to view your maps with Bing Maps (if your organization is configured for Bing Maps). If you enable anonymous access (by checking the box), make sure that the groups selected for the site configuration groups are shared to the public; otherwise, anonymous users may not be able to properly view or access the public content of those groups.

    • For Password Policy, click Update Password Policy to configure the password length, complexity, and history requirements for members with built-in accounts. Click Use Default Portal Policy to reset the organization to use the standard Portal for ArcGIS password policy (at least eight characters with at least one letter and one number).

      You can determine the character length and whether the password must contain at least one of any of the following: letter, uppercase letter, lowercase letter, number, or special character. You can also configure the number of days before the password expires and the number of past passwords that the member may not reuse. Passwords are case sensitive.

      When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details.

      The password policy of the organization does not apply to enterprise logins or app credentials that use app IDs and app secrets.

    • If you have configured a SAML-compliant identity provider with your portal, you see a Sign In Options section where you can configure the options that appear on the portal sign-in page. Choose the radio button next to Either their (idphost) or Portal for ArcGIS account or Their (idphost) account only. For example, if you want all members to sign in only with their login for the SAML-compliant identity provider, you should choose the second radio button. Otherwise, choose the first radio button to make both options for logging into the portal available on the portal sign-in page.

    • For Trusted Servers, configure the list of trusted servers you wish your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) ArcGIS Server or viewing secure OGC services. ArcGIS Servers hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, please refer to the vendor documentation for the web server.

      The host names need to be entered individually. Wildcards cannot be used and are not accepted. The host name can be entered with or without the protocol in front of it. For example, the host name secure.esri.com can be entered as secure.esri.com, http://secure.esri.com, or https://secure.esri.com.

      Note:

      Editing feature services secured with web-tier authentication requires a web browser enabled with Cross-Origin Resource Sharing (CORS). The latest versions of Firefox, Chrome, Safari, and Internet Explorer 10 and later are CORS enabled. CORS is not supported in IE prior to version 10. To test if your browser has CORS enabled, open http://caniuse.com/cors.

  5. Click Save to save the changes you've made.