Skip To Content

Use your portal with LDAP and web-tier authentication

You can secure access to your portal using Lightweight Directory Access Protocol (LDAP). When you use LDAP, logins are managed through your organization's LDAP server.

To use LDAP, you can set up portal-tier authentication or web-tier authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP. If you haven't done so already, install and configure ArcGIS Web Adaptor (Java Platform) with your portal.

Notatka:

Jeśli zamierzasz dodać witrynę serwera ArcGIS Server do portalu i zdecydujesz się na używanie w witrynie uwierzytelniania w warstwie sieci, przed dodaniem witryny do portalu należy wyłączyć uwierzytelnianie w warstwie sieci (podstawowe lub szyfrowane) w aplikacji ArcGIS Web Adaptor skonfigurowanej dla witryny i aktywować dostęp anonimowy. Choć może się to wydać nieintuicyjne, takie postępowanie jest konieczne, aby umożliwić serwerowi integrację z portalem oraz odczytanie użytkowników i ról na portalu. Jeśli witryna serwera ArcGIS Server nie używa jeszcze uwierzytelniania w warstwie sieci, od użytkownika nie wymaga się żadnego działania. Aby uzyskać instrukcje na temat dodawania serwera do portalu, należy zapoznać się z tematem Integrowanie witryny serwera ArcGIS Server z własnym portalem.

Configure your portal with LDAP

First, configure the portal to use HTTPS for all communication. Then update your portal's identity store to use LDAP users and groups.

Configure the portal to use HTTPS for all communication

  1. Sign in to the portal website as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. On the Organization page, click Edit Settings, then click Security.
  3. Check Allow access to the portal through HTTPS only.
  4. Click Save to apply your changes.

Update your portal's identity store

  1. Sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > Config > Update Identity Store.
  3. In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.

    {
      "type": "LDAP",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "uid=admin,ou=system",
        "userFullnameAttribute": "cn",
        "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com",
        "userEmailAttribute": "mail",
        "usernameAttribute": "uid",
        "caseSensitive": "false",
        "userSearchAttribute": "uid"
      }
    }

    In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.

    In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would instead look like this:

    "ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",

    The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).

    If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.

  4. If you want to create groups in the portal that leverage the existing enterprise groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use portal's built-in groups, delete any information in the text box and skip this step.

    {
      "type": "LDAP",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "uid=admin,ou=system",
        "ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com",
        "ldapURLForRoles": "ldaps://bar2:10636/dc=example,dc=com",
        "usernameAttribute": "uid",
        "caseSensitive": "false",
        "userSearchAttribute": "uid",
        "memberAttributeInRoles": "member",
        "rolenameAttribute":"cn"
      }
    }

    In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.

    In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would instead look like this:

    "ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com",

    The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).

    If your LDAP is configured to be case sensitive, set the caseSensitive parameter to true.

  5. Click Update Configuration to save your changes.
  6. If you've configured a highly available portal, restart each portal machine. See Stopping and starting the portal for full instructions.

Add enterprise accounts to your portal

By default, enterprise users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the enterprise accounts have not been added to the portal and granted access privileges.

Add accounts to your portal using one of the following methods:

It's recommended you designate at least one enterprise account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.

Configure ArcGIS Web Adaptor to use web-tier authentication

Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your portal, configure an LDAP realm on your Java application server and specify the web-tier authentication method for ArcGIS Web Adaptor. For instructions, consult your system administrator, the product documentation for your Java application server, or Esri Professional Services.

Verify you can access the portal using LDAP

  1. Open the portal website. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. Verify that you are prompted for your enterprise account credentials. If you do not see this behavior, verify the enterprise account you used to log in to the machine was added to the portal.

Prevent users from creating their own built-in accounts

To prevent people from creating their own built-in accounts, disable the Create an account button and sign-up page (signup.html) in the portal website. This means all members sign in to the portal with their enterprise credentials and unnecessary member accounts cannot be created. See Disabling users ability to create built-in portal accounts for full instructions.