arcgis server and portal for arcgis: an introduction to security
TRANSCRIPT
![Page 1: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/1.jpg)
ArcGIS Server and Portal for ArcGISAn Introduction to Security
Michael Sarhan & Bill Major
February 24–25, 2016 | Washington, DC
FedGIS Conference
![Page 2: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/2.jpg)
Using Portal with ArcGIS Server
Portal Server
![Page 3: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/3.jpg)
Portal and Server: A Tale of Two Security Models
• Portal for ArcGIS- Permissions set by item owner- Can be changed by administrators
• ArcGIS Server- Permissions can be set by any publisher/administrator
Web Services
Portal Items
Web map Web appData
![Page 4: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/4.jpg)
Portal for ArcGIS Access
• Anonymous → Unauthenticated• User → Valid login to access• Role → Grouping of users
- 3 types1. Administrators – Full admin control2. Publishers – Publish web services3. Users – View web services4. Custom Roles
• Identity store → Defines your users
Perm
issi
ons
A
![Page 5: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/5.jpg)
Portal for ArcGIS SecurityIntegrates with Your Enterprise Security Infrastructure
• Authentication - Web tier authentication, including Windows Authentication & PKI- SAML (10.3)- Portal tier authentication combining both built-in and enterprise users (10.3.1)
• Users, Roles, and Groups
Users• Built-in• Enterprise
• Active Directory• LDAP
Roles• Anonymous• User• Publisher• Administrator• Custom roles (10.3)
Groups• Built-in• Enterprise groups
(10.3)
![Page 6: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/6.jpg)
How to Choose Identity Store for Portal for ArcGIS
SAMLWindows
Active Directoryor LDAP
Built-in
If the org has an Identity provider All Internal Users
If the users are mostly External (no IDP)
Supports Web Tier Authentication
![Page 7: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/7.jpg)
SAML – Conceptual Workflow
Portal for ArcGIS
Client
Identity Provider (IDP)3rd party
1. User attempts to login
6. Portal verifiesSAML responseand user is logged in 3. User sends login
credentials to IDP
2. Portal redirectsclient to IDP 4. IDP authenticates user
and sends SAML responseto browser
A
ArcGIS for Server
5. Browser sends SAML response to Portal
Federated
![Page 8: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/8.jpg)
PKI Client Certificate Authentication – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity StoreAD or LDAP
1. PresentPKI Certificate
2. Authenticate againstIdentity Store
3. Pass user identitythrough to Portal
4. Get additional userinformation; EnterpriseGroups
![Page 9: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/9.jpg)
Portal for ArcGIS Sharing Model
Item Sharing Options• Everyone – makes items public• Your Portal – only Portal users can search and find items• Groups – Share an item with a group; restricts access to a smaller, more focused
set of people.• Groups and Your Portal or Everyone – share with a larger audience (everyone or
your portal) and also share it with a specific group. This allows you to categorize your item as especially relevant to a particular group while still making it available to others in your organization.
• Can I share a group? Yes!• Can I re-share another user’s item? Yes but only if it is public.
![Page 10: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/10.jpg)
Portal – Server Federation
• Allows a single sign-on (SSO) experience between Portal and Server• Permissions are all managed in Portal• ArcGIS Server site must be HTTPS enabled
When to use:- Desire for SSO user experience
• When NOT to use- When Portal/Server are in different physical locations- Portal and Server are different releases
Portal for ArcGIS Identity store
ArcGIS Server
![Page 11: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/11.jpg)
Portal Tier Authentication
• Portal Takes on Security Role• Must use ArcGIS Web Adaptor• Can use Built-in or Enterprise Users
Portal for ArcGIS
Server directories
Configuration store
Web Server
Web Adaptor
1. Access to Portal
2. Access to Server
A
Client
ArcGIS for ServerIdentity store
![Page 12: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/12.jpg)
Web Tier Authentication
• Web tier takes on Security Role• Must use ArcGIS Web Adaptor• Can use Enterprise Users, PKI, or
custom techniques
Portal for ArcGIS
Server directories
Configuration store
Web Server
Web Adaptor1. Access to Portal
2. Access to Server
A
Client
ArcGIS for ServerIdentity store
![Page 13: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/13.jpg)
Enterprise Groups in Portal for ArcGIS
Windows Active Directoryor LDAP
Exploration Group
Portal for ArcGIS
Enterprise Group: Explore
X X
A
![Page 14: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/14.jpg)
Portal for ArcGISFederation and Enterprise Groups
![Page 15: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/15.jpg)
Other Portal for ArcGIS Security Considerations
• HTTPS Only?- Use CA signed certificates
• Do you want to allow Anonymous access to your Portal?• Should users be able to “Share with Everyone”?
- Custom Roles• Enforce a password policy (Built-in Users only)• Specify Trusted Servers for passing credentials via CORS• Does the default Token expiration times work for your Security folks?• Portal firewall needs: 7080, 7443, 7654, etc.
![Page 16: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/16.jpg)
What’s coming?10.4
![Page 17: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/17.jpg)
10.4 Security Relevant Updates
• Component version refresh (JDK, Tomcat, etc.)• Requires 4.5 .NET Framework on Windows; Microsoft 10 Support• HTTP and HTTPS is now enabled by default on ArcGIS Server• Python script that performs a security check for problems based on the best
practices for configuring a secure environment for ArcGIS Server.• Portal can create groups that allow members to update shared items
A
![Page 18: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/18.jpg)
10.4 Security Relevant Updates
• Portal 10.4 introduces a new security option for federated servers. You can update a federated server to control which portal members have administrative and publisher access to the server.
• Restrict SSL protocols and cipher suites used by Portal’s internal web server• More located here...
A
![Page 19: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/19.jpg)
Summary
• Securing ArcGIS for Server• Authentication• Securing web services• Incorporating Portal for ArcGIS• Enterprise groups• Summary
![Page 20: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/20.jpg)
Questions???Thank you for your time!
February 24–25, 2016 | Washington, DC
FedGIS Conference
![Page 21: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/21.jpg)
Download the Esri Events app!
Don’t forget to complete your digital session survey
![Page 22: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/22.jpg)
Please Take Our Survey!
Select the session you attended
Scroll down to find the survey Complete Answersand Select “Submit”
Download the Esri Events app and find your event
![Page 23: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/23.jpg)
Networking ReceptionSmithsonian National Museum of the American IndianThursday, 6:30 p.m. – 9:30 p.m.Bus pickup on L Street
![Page 24: ArcGIS Server and Portal for ArcGIS: An Introduction to Security](https://reader037.vdocuments.site/reader037/viewer/2022102720/586cbef41a28abca518bcd22/html5/thumbnails/24.jpg)
Print your customized Certificate of AttendancePrint stations located in the 140/150 Concourse