arcgis for server and portal for arcgis: an introduction to security
TRANSCRIPT
![Page 2: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/2.jpg)
• Security in the context of ArcGIS Server/Portal for ArcGIS
• Access
• Authentication
• Authorization: securing web services
• Encryption and certificates
• ArcGIS Server + Portal for ArcGIS
• Enterprise groups and SAML inPortal for ArcGIS
• Summary
Agenda
How to configure
A
Strongly Recommend:
Knowledge of ArcGIS Server andPortal for ArcGIS
![Page 3: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/3.jpg)
ArcGIS Server/Portal for ArcGIS Security
Protect your assetsControl access and set permissions
![Page 4: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/4.jpg)
ArcGIS 10.3.x for Server – Web GIS in your Infrastructure
Desktop Web Device
Server Online Content and Services
portal
ArcGIS Server
Portal for ArcGIS
A
![Page 5: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/5.jpg)
Access Who can login to ArcGIS Server?
![Page 6: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/6.jpg)
• User → Valid login to access
• Role → Grouping of users- 3 types
1. Administrators – Full admin control
2. Publishers – Publish web services
3. Users – View web services
• Identity store → Defines your users and roles- User store + Role store
ArcGIS Server Access
Per
mis
sio
ns
A
![Page 7: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/7.jpg)
Identity store
• Where are your users coming from?- Determines which type of identity store you should use
• Intranet → Windows Active Directory or LDAP• Internet → Built-in or custom
ArcGIS Server: User considerations
A
Organizations IT network
External
Internal
![Page 8: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/8.jpg)
• How much control do I have on my ArcGIS Server site?- Managed by me, within my Dept? or
- Managed by my organization’s IT Dept
• May affect where you define your roles
ArcGIS Server: Role considerations
Built-inidentity store
Enterpriseidentity store
or LDAP
A
![Page 9: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/9.jpg)
• Identity Store → Defines your users and roles• 3 different options
1. Built-in (default)
2. Register with an enterprise identity store- Windows Active Directory
- LDAP
3. “Mixed mode”- Users from enterprise identity store
- Roles from built-in store
ArcGIS Server: Identity Store
Identity store
A
![Page 10: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/10.jpg)
Show Users and Roles
ArcGIS Server ManagerDemo
![Page 11: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/11.jpg)
Authentication Check and verify user identity
![Page 12: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/12.jpg)
• Authentication → Check and verify user identity
• 2 options
1. GIS Tier- Uses tokens to authenticate
2. Web Tier- Uses HTTP authentication
- E.g., Basic, Digest, Integrated Windows, Client certificates, and Custom
Authentication Tier/Method
A
![Page 13: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/13.jpg)
• Enables ArcGIS Server to work with 3rd party web server- E.g., Microsoft IIS, IBM Web Sphere, etc.
• Leverage web server features
• Required for web-tier authentication
• Provides more flexibility to control site access
• Conceptually like a reverse proxy
• Separate software install- Included with ArcGIS for Server
ArcGIS Web Adaptor
GIS Server
Web Server
Web Adaptor
http://80https://443
http://6080https://6443
GIS site
![Page 14: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/14.jpg)
• GIS Server checks credentials
• Token → Unique identifier sentfrom GIS Server to client to identifyan interaction session
GIS Tier Authentication
GIS Server
Server directories
Configuration store
Identity store
Web Server
Web Adaptor
1. Credentials sentto GIS server 3. Esri token
sent back to client
Client
2. Checked withID store
A
![Page 15: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/15.jpg)
• Web server checks credentials
• Must use ArcGIS Web Adaptor
• HTTP authentication
Web Tier Authentication
GIS Server
Server directories
Configuration store
Web Server
Web Adaptor
Identity store
3. Credentials sentto GIS server
1. Credentialschecked with ID store
2. Credentials sentto Web Adaptor
A
Client
![Page 16: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/16.jpg)
GIS Tier vs. Web Tier Authentication
GIS Tier / Token Web Tier / HTTP Auth
Default Yes No
Public / anonymous possible
Yes No
Clients Supporting Esri All, including OGC
Requirements Enable SSL ArcGIS Web Adaptor(s) requiredBasic – require SSLDigest – special setupIWA – Windows only
![Page 17: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/17.jpg)
Show how to select authentication method
Show IIS configuration of ArcGIS Web Adaptor
ArcGIS Server ManagerDemo
![Page 18: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/18.jpg)
Authorization What you are allowed to do
![Page 19: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/19.jpg)
• Set permissions for roles on folders and services- Administrators/Publishers grant permissions
• All new services are public by default- Anonymous access
• Can specify whether folders require HTTPS
Securing GIS Web Services
![Page 20: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/20.jpg)
Show securing a web service
Show accessing a secured web service
ArcGIS Server ManagerDemo
![Page 21: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/21.jpg)
Encryption and HTTPS Securing communication protocols
![Page 22: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/22.jpg)
Should you be using HTTPS?
• HTTPS: a protocol for secure communication
• Yes!
• To enable, you need to update the security configuration within the ArcGIS Server Administrator Directory
- Select ‘HTTP And HTTPS’ or ‘HTTPS Only’
• HTTPS requires security certificate, which contains- Key information, owner identity, and digital signature of an entity that
has verified the certificate’s contents are correct
Hypertext Transfer Protocol Secure (HTTPS)
![Page 23: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/23.jpg)
Security Certificates
• Enabling HTTPS in ArcGIS Server generates a self-signed certificate for every machine in the site
- Used to communicate with the ArcGIS Web Adaptor over port 6443
• For production site, the ArcGIS Web Adaptor should use a certificate signed by a domain or well-known Certificate Authority (CA)
• Web clients use the certificate to trust content from ArcGIS Server
Certificate signed by domain or well-known CA
Want toavoid:
A
![Page 24: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/24.jpg)
How do you set up a Security Certificate?
1. Generate a Certificate Signing Request (CSR)
2. Send CSR for signing- By a domain or well-known Certificate Authority
3. Import signed certificate
A
![Page 25: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/25.jpg)
Portal for ArcGIS Extension to ArcGIS for Server
![Page 26: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/26.jpg)
Using Portal with ArcGIS Server
1. Registering services
2. Federating an ArcGIS Server sitePortal
Server
![Page 27: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/27.jpg)
Implementation Patterns
Identity Store
Portal for ArcGIS
ArcGIS Serversite 1
Item A
Registeredweb service
Portal for ArcGIS + ArcGIS Server
A
Identity Store
![Page 28: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/28.jpg)
Show register a web service with Portal
Portal for ArcGISDemo
![Page 29: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/29.jpg)
What can be Secured and Where?
Portal for ArcGIS Portal Items
ArcGIS Server Web Services
Web map Web appData
![Page 30: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/30.jpg)
What does it mean to be Secured?
Portal Item What access means
Web Map Can know what the URLs for the layers in the mapLayers are secured independently
Packages Can download the package
Data Can download the data
Application Allows opening of app* (except referenced external app)
ArcGIS Server What access means
Any service Can perform any operation that is enabled
![Page 31: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/31.jpg)
• Portal for ArcGIS- Permissions set by item owner
- Can be changed by administrators
• ArcGIS Server- Permissions can be set by any publisher/administrator
How is Security Set?
Web Services
Portal Items
Web map Web appData
![Page 32: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/32.jpg)
Portal for ArcGIS SecurityIntegrates with Your Enterprise Security Infrastructure
• Authentication - Web tier authentication, including Windows Authentication & PKI
- Web single sign-on (SSO) with SAML (10.3)
- Portal tier authentication combining both built-in and enterprise users (10.3.1)
• Users, Roles, and Groups
Users
• Built-in• Enterprise
• Active Directory• LDAP
Roles
• Anonymous• User• Publisher• Administrator• Custom roles (10.3)
Groups
• Built-in• Enterprise groups
(10.3)
![Page 33: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/33.jpg)
How to Choose Identity Store for Portal for ArcGIS
SAMLWindows
Active Directoryor LDAP
Built-in
If the org has an Identity provider
If the users are mostly or all internal
If the users are mostly external
![Page 34: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/34.jpg)
• A collection of users is called …- Group in Portal for ArcGIS
- Role in ArcGIS Server
• In Portal, you define the Group- If you use enterprise identity store, can leverage enterprise groups
• In Server, Role defined with built-in roles or from enterprise identity store
Groups and Roles
Collection of users
![Page 35: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/35.jpg)
• Permissions for Portal users defined by roles
• 3 default roles1. Administrator
2. Publisher
3. User
• Custom roles (as of 10.3)- Provide more fine grained access control
Portal for ArcGIS Roles
Per
mis
sio
ns
A
![Page 36: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/36.jpg)
Portal for ArcGIS: Custom Roles
• Provide more flexibility to enable fine grained control on what members can do
• My Organization page > Edit Settings > Roles > Create Role
![Page 37: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/37.jpg)
Show creating a custom role
Portal for ArcGISDemo
![Page 38: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/38.jpg)
Implementation Patterns
Identity Store
Portal for ArcGIS
ArcGIS Serversite 1
Item A
Registeredweb service
Portal for ArcGIS + ArcGIS Server
Identity Store
A
![Page 39: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/39.jpg)
Show how a secured web service behaves in Portal
Portal for ArcGISDemo
![Page 40: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/40.jpg)
Implementation Patterns
Identity Store
Portal for ArcGIS
ArcGIS Serversite 1
Item A
Registeredweb service
FederatedServer
ArcGIS Serversite 2
Item B
Portal for ArcGIS + ArcGIS Server
A
Identity Store
![Page 41: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/41.jpg)
Portal – Server Federation
• Allows a single sign-on (SSO) experience between Portal and Server
• Permissions are all managed in Portal
• ArcGIS Server site must be HTTPS enabled
When to use:- Desire for SSO user experience
• When NOT to use- When Portal/Server are in different physical locations
- Portal and Server are different releases
Portal for ArcGIS Identity store
ArcGIS Server
![Page 42: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/42.jpg)
Show federating an ArcGIS Server site with Portal
Portal for ArcGISDemo
![Page 43: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/43.jpg)
• The ArcGIS Web Adaptor is the primary access point for Portal- For production site, use a signed certificate from a domain or well-known Certificate
Authority (CA)
• By default, Portal for ArcGIS encrypts communication between itself and the ArcGIS Web Adaptor on port 7443 via HTTPS
• Portal maintains a list of trusted CA Certs used when accessing external services over HTTPS
- Needs to be updated if Portal is accessing internal services via HTTPS
- Configuring the portal to trust certificates from your certifying authority
Portal for ArcGIS and HTTPS
![Page 44: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/44.jpg)
Other Security Options in Portal for ArcGIS
• At 10.3, several enhancements were added
1. Support for enterprise groups when Portal uses an enterprise identity store- Windows Active Directory or LDAP
2. Support for SAML authentication
Portal for ArcGIS
![Page 45: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/45.jpg)
10.3 Support for Enterprise Groups Enabled when Portal is configured with Windows Active Directory or LDAP
![Page 46: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/46.jpg)
Enterprise Groups in Portal for ArcGIS
Windows Active Directoryor LDAP
Exploration Group
Portal for ArcGIS
Enterprise Group: Explore
X X
A
![Page 47: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/47.jpg)
10.3 Single Web Sign On through SAML(Security Assertion Markup Language)
Industry standard for SSO
![Page 48: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/48.jpg)
SAML – Conceptual Workflow
Portal for ArcGIS
Client
Identity Provider (IDP)3rd party
1. User attempts to login
6. Portal verifiesSAML responseand user is logged in
3. User sends login credentials to IDP
2. Portal redirectsclient to IDP 4. IDP authenticates user
and sends SAML responseto browser
5. Browser sends SAMLresponse to Portal
A
![Page 49: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/49.jpg)
• With SAML authentication enabled, user will be prompted by IDP to login
• Use IDP login or built-in login
SAML login User Experience
![Page 50: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/50.jpg)
5 Key Points
• Multiple ways to utilize your Enterprise Identity store
• Select the authentication option that best meets your business requirements
• Enable HTTPS on your ArcGIS Server site
• Use a security certificate signed by your domain or a well-known CA
• Portal – Server Federation is optional
A
![Page 51: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/51.jpg)
• Security in the context of ArcGIS Server/Portal for ArcGIS
• Access
• Authentication
• Authorization: securing web services
• Encryption and certificates
• ArcGIS Server + Portal for ArcGIS
• Enterprise groups and SAML inPortal for ArcGIS
Summary
![Page 52: ArcGIS for Server and Portal for ArcGIS: An introduction to security](https://reader033.vdocuments.site/reader033/viewer/2022052419/58a2e4391a28ab37018b8603/html5/thumbnails/52.jpg)