The primary factor you should use to determine how you configure security in your ArcGIS Enterprise deployment is the source of users and, optionally, groups for your portal. This source of users and groups is called your identity store. Users and groups within or outside your organization are managed through the identity store.
- Understanding identity stores
- Configuring built-in users using the portal's identity store
- Configuring organization-specific logins using web-tier authentication
- Configuring organization-specific logins using SAML
Understand identity stores
The identity store for your portal defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise portal supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
The ArcGIS Enterprise portal can be configured to allow members to easily create accounts and groups in your portal. When enabled, you can use the Create an account link on the portal website Sign In page to add a built-in account to your portal and start contributing content to the organization or access resources created by other members. When you create accounts and groups in your portal this way, you are leveraging the built-in identity store, which performs authentication and stores portal account user names, passwords, roles, and group membership.
You must use the built-in identity store to create the initial administrator account for your portal, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically leverage an organization-specific identity store.
Organization-specific identity store
The ArcGIS Enterprise portal is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. For example, you can control access to the portal by using credentials from your Lightweight Directory Access Protocol (LDAP) server, Active Directory server, and identity providers that support Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign On. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the portal. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the portal. This enables a single sign-on experience so users do not need to reenter their credentials.
Similarly, you can also create groups in the portal that leverage the existing enterprise groups in your identity store. Also, organization-specific accounts can be added in bulk from the enterprise groups in your organization. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the enterprise group. The management of group membership is completely external to the portal.
For example, a recommended practice is to disable anonymous access to your portal, connect your portal to the desired enterprise groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the portal based on specific enterprise groups in your organization.
Use an organization-specific identity store if your organization wants to set policies for password expiration and complexity, control access using existing enterprise groups, or leverage authentication over Integrated Windows Authentication (IWA) or Public Key Infrastructure (PKI). Authentication can be handled at the web-tier level (using web-tier authentication), at the portal-tier level (using portal-tier authentication), or through an external identity provider (using SAML).
Using an Active Directory identity store, ArcGIS Enterprise supports authentication from multiple domains with a single forest, but it does not provide cross-forest authentication. To support organization-specific users from multiple forests, a SAML identify provider is required.
Support multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users that may reside within or outside your organization. For full details, see Configure a SAML-compliant identity provider with your portal.
Configure built-in users and groups using the portal's identity store
No steps are necessary to configure the portal when using built-in users and groups; the portal is ready for built-in users and groups immediately after installing the software. If you are using organization-specific users, see the following sections and related links for more information.
Configure organization-specific logins
The following organization-specific identity providers can be configured with the portal. Authentication can be handled at the web tier (using ArcGIS Web Adaptor) or at the portal tier.
If your portal is running on a Windows server and you have a Windows Active Directory configured, you can use Integrated Windows Authentication to connect to your portal. This enables an automatic or single-sign on experience for users of the portal through web-tier authentication. To use Windows authentication, your Web Adaptor must be deployed to Microsoft's IIS web server.
If you have an LDAP directory, you can use it with the ArcGIS Enterprise portal. See Use your portal with LDAP and web-tier authentication for more information. If you want to use LDAP, deploy your Web Adaptor to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic.
If your organization has a PKI, you can use certificates to authenticate communication with your portal using HTTPS. When authenticating users, you have the option to use Windows Active Directory or Lightweight Directory Access Protocol (LDAP). To use Windows authentication, your Web Adaptor must be deployed to Microsoft's IIS web server. To use LDAP, your Web Adaptor must be deployed to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. It is not possible to enable anonymous access to your portal when using PKI.
If you want to allow access to your portal using both organization-specific and built-in identity stores without using SAML, you can use portal-tier authentication. This is achieved by configuring the portal with your Active Directory or LDAP identity store, and then enabling anonymous access in IIS or your Java application server. When a user accesses the portal sign-in page, they will be able to sign in using either organization-specific credentials or built-in credentials. Organization-specific users will be required to enter their account credentials each time they sign in to the portal; automatic or single-sign on is not available. This type of authentication also allows anonymous users access to maps or other portal resources that are shared with everyone.
When using portal-tier authentication, members will sign in using the following syntax:
- If using the portal with your Active Directory, the syntax can be domain\username or username@domain. Regardless of how the member signs in, the user name always displays as username@domain in the portal website.
- If using the portal with LDAP, the syntax is always username. The portal website also displays the account in this format.
Configure organization-specific logins using SAML
The ArcGIS Enterprise portal supports all SAML-compliant identity providers. The following tutorials demonstrate how to configure certain common SAML-compliant identity providers with the portal. For more information, see Configure a SAML-compliant identity provider with your portal.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced portal lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you're using an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.
Monitor failed login attempts
You can monitor failed login attempts by viewing the portal logs in the Portal Directory. Any failed attempts result in a warning-level message stating that the user failed to sign in because of an invalid user name or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked out. Monitoring the portal logs for failed login attempts can help you understand if there is a potential password attack on your system.
For more information, see Work with portal logs.