The primary factor you should use to determine how you configure security in your ArcGIS Enterprise organization is the source of users and, optionally, groups. This source of users and groups is called your identity store. Users and groups within or outside your organization are managed through the identity store.
- Understand identity stores
- Configure built-in users using the portal's identity store
- Configure organization-specific logins using web-tier authentication
- Configure organization-specific logins using SAML
Understand identity stores
The identity store for your organization defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise organization supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
The ArcGIS Enterprise portal can be configured to allow members to create accounts and groups in your portal. When enabled, you can use the Create an account link on the portal website Sign In page to add a built-in account to your portal and start contributing content to the organization or access resources created by other members. When you create accounts and groups in your portal this way, you are using the built-in identity store, which performs authentication and stores portal account usernames, passwords, roles, and group membership.
You must use the built-in identity store to create the initial administrator account for your organization, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically use an organization-specific identity store.
If you need to revert from an organization-specific identity store to a built-in identity store, you can do so by deleting any information in the User store configuration and Group store configuration text boxes in the Update Identity Store page within the portal's Administrator Directory. For more information, see the ArcGIS REST API documentation.
Organization-specific identity store
ArcGIS Enterprise is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. For example, you can control access to the portal by using credentials from your Lightweight Directory Access Protocol (LDAP) server and identity providers that support Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign On. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the portal. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the portal. This enables a single sign-on experience so users do not need to reenter their credentials.
Similarly, you can also create groups in the portal that use the existing Active Directory, LDAP, or SAML groups in your identity store. Also, organization-specific accounts can be added in bulk from the Active Directory, LDAP, or SAML groups in your organization. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the Active Directory, LDAP, or SAML group. The management of group membership is completely external to the portal.
For example, a recommended practice is to disable anonymous access to your portal, connect your portal to the desired Active Directory, LDAP, or SAML groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the portal based on specific Active Directory, LDAP, or SAML groups in your organization.
Use an organization-specific identity store if your organization wants to set policies for password expiration and complexity, control access using existing LDAP or SAML groups, or use authentication over LDAP or public key infrastructure (PKI)-based client certificate authentication. Authentication can be handled at the web-tier level (using web-tier authentication), at the portal-tier level (using portal-tier authentication), or through an external identity provider (using SAML).
Support multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users who may reside within or outside your organization. For details, see Configure a SAML-compliant identity provider with your portal.
Configure built-in users and groups using the portal's identity store
No steps are necessary to configure the portal when using built-in users and groups; the portal is ready for built-in users and groups immediately after installing the software. If you are using organization-specific users, see the following sections and related links for more information.
Configure organization-specific logins
The following organization-specific identity providers can be configured with the portal. Authentication can be handled at the web tier (using ArcGIS Web Adaptor) or at the portal tier.
If you have an LDAP directory, you can use it with the ArcGIS Enterprise portal. See Use your portal with LDAP and web-tier authentication for more information. To use LDAP, deploy your Web Adaptor to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic.
If your organization has PKI-based client certificate authentication, you can use certificates to authenticate communication with your portal using HTTPS. It is not possible to enable anonymous access to your portal when using client certificate authentication. See Use LDAP and PKI to secure access to your portal for more information.
If you want to allow access to your portal using both organization-specific and built-in identity stores without using SAML, you can use portal-tier authentication. This is achieved by configuring the portal with your LDAP identity store, and enabling anonymous access in your Java application server. When a user accesses the portal sign-in page, they will be able to sign in using either organization-specific credentials or built-in credentials. Organization-specific users will be required to enter their account credentials each time they sign in to the portal; automatic or single-sign on is not available. This type of authentication also allows anonymous users access to maps or other portal resources that are shared with everyone.
When using portal-tier authentication, members will sign in using the following syntax:
- If using the portal with your Active Directory, the syntax can be domain\username or username@domain. Regardless of how the member signs in, the username always displays as username@domain in the portal website.
- If using the portal with LDAP, the syntax is always username. The portal website also displays the account in this format.
Configure organization-specific logins using SAML
The ArcGIS Enterprise portal supports all SAML-compliant identity providers. For more information, see Configure a SAML-compliant identity provider with your portal.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced portal lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you're using an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.
Monitor failed login attempts
You can monitor failed login attempts by viewing the portal logs in the Portal Directory. Any failed attempts result in a warning-level message stating that the user failed to sign in because of an invalid username or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked out. Monitoring the portal logs for failed login attempts can help you determine whether there is a potential password attack on your system.
For more information, see Work with portal logs.