Federating an ArcGIS Server site with your portal integrates the security and sharing models of your portal with one or more ArcGIS Server sites. Federation is optional unless you want to do the following:
- Configure your site with a Security Assertion Markup Language (SAML) identity provider.
- Host tile layers, feature layers, and scene layers published by members of the portal.
- Allow members of the portal to perform spatial analysis in Map Viewer.
When you add a server to your portal as described in this topic, you are federating the server with the portal. A server that has been added to your portal is called a federated server.
The elements of your ArcGIS Enterprise base deployment, including the hosting server, must all be at the same version as your portal. All ArcGIS GeoEvent Server sites, GeoAnalytics Server sites, and ArcGIS Image Server raster analytics sites must also match the portal's version.
However, some ArcGIS Server sites at version 10.5 or later can be federated with a portal of a more recent version. This applies to additional ArcGIS GIS Server sites beyond the hosting server, and to any ArcGIS Image Server not designated for raster analytics. No ArcGIS Server site can be federated with a portal from an earlier version than its own.
When you federate a server with your portal, the portal's security store controls all access to the server. This provides a convenient sign-on experience but also impacts how you access and administer the federated server. For example, when you federate, any users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by portal members, roles, and sharing permissions. Before federating, review the information in Administer a federated server to learn more about how federating will impact your existing site.
Services that exist on the ArcGIS Server site at the time of federation are automatically added to the portal as items. These items are owned by the portal administrator who performs federation. After federation, the portal administrator can reassign ownership of these items to existing portal members as desired. Any subsequent items you publish to the federated server are automatically added as items on the portal and are owned by the user who publishes them.
After federating, you can optionally designate a single server site to be the portal's hosting server. See the table in About using your portal with ArcGIS Server for a list of functionality available when your portal has a hosting server. See Configure a hosting server for instructions on designating one of your federated servers as the portal's hosting server.
Starting at 10.7, the managed database for the portal's hosting server must be a relational ArcGIS Data Store. You can continue to federate servers that use an enterprise geodatabase as their managed database; however, they cannot be set as the portal's hosting server.
If the server you want to federate uses web-tier authentication, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before federating it with the portal. Although it may sound counterintuitive, this is necessary so your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required. You can continue with the steps below.
If you'll be using your organization's reverse proxy server with Portal for ArcGIS, you'll need to add your portal to the reverse proxy server before performing the steps below. For full instructions, see Using a reverse proxy server with Portal for ArcGIS.
The following steps explain how to federate an ArcGIS Server site with your portal:
- By default, ArcGIS Server is configured to communicate using HTTP and HTTPS. Portal for ArcGIS uses HTTPS for communication by default. You can force HTTPS for all calls (HTTPS only) or allow the server to use either protocol (HTTP and HTTPS). The protocol chosen does not have to match that of the portal, except in the following scenarios:
- If you will be using Integrated Windows Authentication with your portal or you require HTTPS for all communication in your organization, you must configure ArcGIS Server and Portal for ArcGIS to communicate using HTTPS only.
- If you will be configuring the server as your portal's hosting server, the communication protocol chosen should match that of your portal. For example, if your portal is HTTPS only, the hosting server should be configured as HTTPS only. If the portal supports HTTP and HTTPS, the server protocol should be configured as HTTP and HTTPS.
For full instructions on changing the ArcGIS Server communication protocol, see the steps below:
- Open the ArcGIS Server Administrator Directory and sign in as a user who has administrative permissions. The Administrator Directory URL will be formatted as https://gisserver.domain.com:6443/arcgis/admin.
- Click security > config > update.
- On the Operation - update page, choose one of the following from the Protocol drop-down list:
- If you require HTTPS for all communication in your organization, choose HTTPS only.
- If you use Integrated Windows Authentication with your portal, you must choose HTTPS only.
- Click Update.
Your ArcGIS Server site restarts. Wait for it to restart completely before proceeding.
- Sign out of the Administrator Directory.
It takes ArcGIS Web Adaptor approximately one minute to recognize changes to the communication protocol of your site.
At 10.2.1 and earlier versions, you were required to reconfigure ArcGIS Web Adaptor after updating the communication protocol of ArcGIS Server. At 10.2.2 and later versions, this is no longer necessary.
- If you are federating an ArcGIS Server that uses a wildcard security certificate, import the root certificate into your portal before federating. If the portal only has a wildcard certificate for the federated server, it cannot validate the certificate CNAME and thus will be unable to publish services and perform some other operations.
- Sign in to the Portal for ArcGIS website as an administrator and browse to Organization > Settings > Servers.
In this step, you must connect to the website through the Web Adaptor URL (such as https://webadaptorhost.domain.com/webadaptorname/home). Do not use the internal URL on port 7443.
- Click Add Server.
- Provide the following information:
- Services URL—The URL used by external users when accessing the ArcGIS Server site. If the site includes the Web Adaptor, the URL includes the Web Adaptor address, for example, http://webadaptorhost.domain.com/webadaptorname. If you've added ArcGIS Server to your organization's reverse proxy server, the URL is the reverse proxy server address (for example, http://reverseproxy.domain.com/myorg). If your organization requires HTTPS for all communication, use https instead of http. Note that the federation operation will perform a validation check to determine if the provided Services URL is accessible from the server site. If the resulting validation check fails, a warning will be generated in the Portal for ArcGIS logs. However, federation will not fail if the Services URL is not validated, as the URL may not be accessible from the server site, such as is the case when the server site is behind a firewall.
- Administration URL—The URL used for accessing ArcGIS Server when performing administrative operations on the internal network, for example, http://gisserver.domain.com:6080/arcgis. If your organization requires HTTPS for all communication (such as when using Integrated Windows Authentication), use https://gisserver.domain.com:6443/arcgis.
If you federate with a multimachine site or highly available ArcGIS Server, or if your ArcGIS Server is hosted in a cloud environment, use the Web Adaptor or load balancer URL in this field instead. The Administration URL setting must be a URL that the portal can use to communicate with all servers in the site, even when one of them is unavailable. If you use a Web Adaptor for this URL, ensure that you have enabled administrative access to the server through the Web Adaptor.
- Username—The name of the primary site administrator account that was used to initially sign in to Manager and administer ArcGIS Server. If this account is disabled, you'll need to reenable it.
- Password—The password of the primary site administrator account.
- Click Add.
- Click Save to save the federated server settings.
Now that your server is federated with the portal, you'll use a URL such as https://gisserver.domain.com:6443/arcgis/manager to sign in to ArcGIS Server Manager. If the site includes multiple ArcGIS Server machines, this will be the URL of the machine you specified for the Administration URL setting. You'll be required to supply the name and password of a portal account. There are various other differences you'll encounter when working with a federated server that you can read about in Administering a federated server.
After federating your server with the portal, you may also want to do the following:
Configure one of your federated servers as a hosting server—This allows your portal users to publish hosted layers to the portal. They can do this from the portal website, the My Hosted Services node in the Catalog tree in ArcMap, or ArcGIS Pro.
When you specify a hosting server for your portal, the hosting server's print service is automatically configured with the portal. You'll only need to start and share the print service to use it in the portal. However, if you've previously configured a print service with your portal, the URL is not updated when specifying a hosting server. You'll need to start the service, share the service, and configure it as a utility service.
Disable the primary site administrator account—This is not necessary for all sites, but it can provide an extra measure of security by forcing all users to use portal accounts and tokens.