When using Lightweight Directory Access Protocol (LDAP) to authenticate users, you can use a public key infrastructure (PKI) to secure access to your portal.
To use LDAP and PKI, you must set up PKI-based client certificate authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform PKI-based client certificate authentication with LDAP. If you haven't done so already, install and configure ArcGIS Web Adaptor (Java Platform) with your portal.
Note:
If you'll be adding an ArcGIS Server site to your portal and want to use LDAP and PKI with the server, you'll need to disable PKI-based client certificate authentication on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using PKI-based client certificate authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.
Configure your portal with LDAP
By default, Portal for ArcGIS enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you will need to reconfigure the portal to use HTTPS-only communication by following the steps below.
Configure the portal to use HTTPS for all communication
- Sign in to the portal website as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- Click Organization and click the Settings tab, and then click Security on the left side of the page.
- Enable Allow access to the portal through HTTPS only.
Update your portal's identity store
Next, update your portal's identity store to use LDAP users and groups.
- Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click Security > Config > Update Identity Store.
- In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization:
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "userFullnameAttribute": "cn", "userGivenNameAttribute": "givenName", "userSurnameAttribute": "sn", "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com", "userEmailAttribute": "mail", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "dn" } }
In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and userSearchAttribute parameters. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute parameter to match the Subject parameter in the PKI certificate. The URL to your LDAP will need to be provided by your LDAP administrator.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- If you want to create groups in the portal that leverage the existing enterprise groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
{ "type": "LDAP", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "uid=admin,ou=system", "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com", "ldapURLForRoles": "ldaps://bar2:10636/dc=example,dc=com", "usernameAttribute": "uid", "caseSensitive": "false", "userSearchAttribute": "dn", "memberAttributeInRoles": "member", "rolenameAttribute":"cn" } }
In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, ldapURLForGroups, and userSearchAttribute parameters. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute parameter to match the Subject parameter in the PKI certificate. The URL to your LDAP will need to be provided by your LDAP administrator.
In the example above, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",
The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).
If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.
- Click Update Configuration to save your changes.
- If you've configured a highly available portal, restart each portal machine. See Stopping and starting the portal for full instructions.
Add enterprise accounts to your portal
By default, enterprise users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the enterprise accounts have not been added to the portal and granted access privileges.
Add accounts to your portal using one of the following methods:
- Portal for ArcGIS website (one at a time, in bulk from a CSV file, or from existing enterprise groups)
- Python script
- Command line utility
- Automatically
It's recommended that you designate at least one enterprise account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.
Configure ArcGIS Web Adaptor to use PKI authentication
Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your portal, configure an LDAP realm on your Java application server and configure PKI-based client certificate authentication for ArcGIS Web Adaptor. For instructions, consult your system administrator or the product documentation for your Java application server.
Verify portal access using LDAP and PKI
To verify you can access the portal using LDAP and PKI, complete the following steps:
- Open the portal website. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
- Verify that you are prompted for your security credentials and can access the website.
Prevent users from creating their own built-in accounts
You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.