ArcGIS Server and Portal for ArcGIS: An Introduction to Security

ArcGIS Server and Portal for ArcGISAn Introduction to Security

Michael Sarhan & Bill Major

February 24–25, 2016 | Washington, DC

FedGIS Conference

Using Portal with ArcGIS Server

Portal Server

Portal and Server: A Tale of Two Security Models

• Portal for ArcGIS- Permissions set by item owner- Can be changed by administrators

• ArcGIS Server- Permissions can be set by any publisher/administrator

Web Services

Portal Items

Web map Web appData

Portal for ArcGIS Access

• Anonymous → Unauthenticated• User → Valid login to access• Role → Grouping of users

- 3 types1. Administrators – Full admin control2. Publishers – Publish web services3. Users – View web services4. Custom Roles

• Identity store → Defines your users

Perm

issi

ons

A

Portal for ArcGIS SecurityIntegrates with Your Enterprise Security Infrastructure

• Authentication - Web tier authentication, including Windows Authentication & PKI- SAML (10.3)- Portal tier authentication combining both built-in and enterprise users (10.3.1)

• Users, Roles, and Groups

Users• Built-in• Enterprise

• Active Directory• LDAP

Roles• Anonymous• User• Publisher• Administrator• Custom roles (10.3)

Groups• Built-in• Enterprise groups

(10.3)

How to Choose Identity Store for Portal for ArcGIS

SAMLWindows

Active Directoryor LDAP

Built-in

If the org has an Identity provider All Internal Users

If the users are mostly External (no IDP)

Supports Web Tier Authentication

SAML – Conceptual Workflow

Portal for ArcGIS

Client

Identity Provider (IDP)3rd party

1. User attempts to login

6. Portal verifiesSAML responseand user is logged in 3. User sends login

credentials to IDP

2. Portal redirectsclient to IDP 4. IDP authenticates user

and sends SAML responseto browser

A

ArcGIS for Server

5. Browser sends SAML response to Portal

Federated

PKI Client Certificate Authentication – Conceptual Workflow

A

Web Server Portal for ArcGIS

ArcGIS Server

Federated

Identity StoreAD or LDAP

1. PresentPKI Certificate

2. Authenticate againstIdentity Store

3. Pass user identitythrough to Portal

4. Get additional userinformation; EnterpriseGroups

Portal for ArcGIS Sharing Model

Item Sharing Options• Everyone – makes items public• Your Portal – only Portal users can search and find items• Groups – Share an item with a group; restricts access to a smaller, more focused

set of people.• Groups and Your Portal or Everyone – share with a larger audience (everyone or

your portal) and also share it with a specific group. This allows you to categorize your item as especially relevant to a particular group while still making it available to others in your organization.

• Can I share a group? Yes!• Can I re-share another user’s item? Yes but only if it is public.

Portal – Server Federation

• Allows a single sign-on (SSO) experience between Portal and Server• Permissions are all managed in Portal• ArcGIS Server site must be HTTPS enabled

When to use:- Desire for SSO user experience

• When NOT to use- When Portal/Server are in different physical locations- Portal and Server are different releases

Portal for ArcGIS Identity store

ArcGIS Server

Portal Tier Authentication

• Portal Takes on Security Role• Must use ArcGIS Web Adaptor• Can use Built-in or Enterprise Users

Portal for ArcGIS

Server directories

Configuration store

Web Server

Web Adaptor

1. Access to Portal

2. Access to Server

A

Client

ArcGIS for ServerIdentity store

Web Tier Authentication

• Web tier takes on Security Role• Must use ArcGIS Web Adaptor• Can use Enterprise Users, PKI, or

custom techniques

Portal for ArcGIS

Server directories

Configuration store

Web Server

Web Adaptor1. Access to Portal

2. Access to Server

A

Client

ArcGIS for ServerIdentity store

Enterprise Groups in Portal for ArcGIS

Windows Active Directoryor LDAP

Exploration Group

Portal for ArcGIS

Enterprise Group: Explore

X X

A

Portal for ArcGISFederation and Enterprise Groups

Other Portal for ArcGIS Security Considerations

• HTTPS Only?- Use CA signed certificates

• Do you want to allow Anonymous access to your Portal?• Should users be able to “Share with Everyone”?

- Custom Roles• Enforce a password policy (Built-in Users only)• Specify Trusted Servers for passing credentials via CORS• Does the default Token expiration times work for your Security folks?• Portal firewall needs: 7080, 7443, 7654, etc.

What’s coming?10.4

10.4 Security Relevant Updates

• Component version refresh (JDK, Tomcat, etc.)• Requires 4.5 .NET Framework on Windows; Microsoft 10 Support• HTTP and HTTPS is now enabled by default on ArcGIS Server• Python script that performs a security check for problems based on the best

practices for configuring a secure environment for ArcGIS Server.• Portal can create groups that allow members to update shared items

A

10.4 Security Relevant Updates

• Portal 10.4 introduces a new security option for federated servers. You can update a federated server to control which portal members have administrative and publisher access to the server.

• Restrict SSL protocols and cipher suites used by Portal’s internal web server• More located here...

A

Summary

• Securing ArcGIS for Server• Authentication• Securing web services• Incorporating Portal for ArcGIS• Enterprise groups• Summary

Questions???Thank you for your time!

February 24–25, 2016 | Washington, DC

FedGIS Conference

Download the Esri Events app!

Don’t forget to complete your digital session survey

Please Take Our Survey!

Select the session you attended

Scroll down to find the survey Complete Answersand Select “Submit”

Download the Esri Events app and find your event

Networking ReceptionSmithsonian National Museum of the American IndianThursday, 6:30 p.m. – 9:30 p.m.Bus pickup on L Street

Print your customized Certificate of AttendancePrint stations located in the 140/150 Concourse