FedGIS Conference February 24 25, 2016 Washington, DC ArcGIS Server and Portal for ArcGIS An Introduction to Security Michael Sarhan & Bill Major
Using Portal with ArcGIS Server Portal Server
Portal and Server: A Tale of Two Security Models Portal for ArcGIS - Permissions set by item owner - Can be changed by administrators Portal Items Web map ArcGIS Server - Permissions can be set by any publisher/administrator Web Services Data Web app
Anonymous Unauthenticated User Valid login to access Role Grouping of users - 3 types 1. Administrators Full admin control 2. Publishers Publish web services 3. Users View web services 4. Custom Roles Permissions Portal for ArcGIS Access Identity store Defines your users A
Portal for ArcGIS Security Integrates with Your Enterprise Security Infrastructure Authentication - Web tier authentication, including Windows Authentication & PKI SAML (10.3) Portal tier authentication combining both built-in and enterprise users (10.3.1) Users, Roles, and Groups Users Built-in Enterprise Active Directory LDAP Roles Anonymous User Publisher Administrator Custom roles (10.3) Groups Built-in Enterprise groups (10.3)
How to Choose Identity Store for Portal for ArcGIS If the org has an Identity provider SAML All Internal Users Windows Active Directory or LDAP Supports Web Tier Authentication If the users are mostly External (no IDP) Built-in
SAML Conceptual Workflow 5. Browser sends SAML response to Portal 6. Portal verifies SAML response and user is logged in 1. User attempts to login Portal for ArcGIS 2. Portal redirects client to IDP 3. User sends login credentials to IDP Identity Provider (IDP) 3rd party Client 4. IDP authenticates user and sends SAML response to browser Federated ArcGIS for Server A
PKI Client Certificate Authentication Conceptual Workflow 1. Present PKI Certificate Web Server 3. Pass user identity through to Portal Portal for ArcGIS Federated 2. Authenticate against Identity Store 4. Get additional user information; Enterprise Groups Identity Store AD or LDAP ArcGIS Server A
Portal for ArcGIS Sharing Model Item Sharing Options Everyone makes items public Your Portal only Portal users can search and find items Groups Share an item with a group; restricts access to a smaller, more focused set of people. Groups and Your Portal or Everyone share with a larger audience (everyone or your portal) and also share it with a specific group. This allows you to categorize your item as especially relevant to a particular group while still making it available to others in your organization. Can I share a group? Yes! Can I re-share another user s item? Yes but only if it is public.
Portal Server Federation Allows a single sign-on (SSO) experience between Portal and Server Permissions are all managed in Portal ArcGIS Server site must be HTTPS enabled Portal for ArcGIS When to use: - Desire for SSO user experience ArcGIS Server When NOT to use - When Portal/Server are in different physical locations - Portal and Server are different releases Identity store
Portal Tier Authentication Client Portal Takes on Security Role Web Server Must use ArcGIS Web Adaptor Can use Built-in or Enterprise Users Web Adaptor 1. Access to Portal 2. Access to Server Identity store Portal for ArcGIS ArcGIS for Server Configuration store Server directories A
Web Tier Authentication Client Web tier takes on Security Role Must use ArcGIS Web Adaptor Can use Enterprise Users, PKI, or custom techniques Web Server Web Adaptor 1. Access to Portal 2. Access to Server Identity store Portal for ArcGIS ArcGIS for Server Configuration store Server directories A
Enterprise Groups in Portal for ArcGIS Windows Active Directory or LDAP Exploration Group X Portal for ArcGIS Enterprise Group: Explore X A
Portal for ArcGIS Federation and Enterprise Groups
Other Portal for ArcGIS Security Considerations HTTPS Only? - Use CA signed certificates Do you want to allow Anonymous access to your Portal? Should users be able to Share with Everyone? - Custom Roles Enforce a password policy (Built-in Users only) Specify Trusted Servers for passing credentials via CORS Does the default Token expiration times work for your Security folks? Portal firewall needs: 7080, 7443, 7654, etc.
What s coming? 10.4
10.4 Security Relevant Updates Component version refresh (JDK, Tomcat, etc.) Requires 4.5.NET Framework on Windows; Microsoft 10 Support HTTP and HTTPS is now enabled by default on ArcGIS Server Python script that performs a security check for problems based on the best practices for configuring a secure environment for ArcGIS Server. Portal can create groups that allow members to update shared items A
10.4 Security Relevant Updates Portal 10.4 introduces a new security option for federated servers. You can update a federated server to control which portal members have administrative and publisher access to the server. Restrict SSL protocols and cipher suites used by Portal s internal web server More located here... A
Summary Securing ArcGIS for Server Authentication Securing web services Incorporating Portal for ArcGIS Enterprise groups Summary
FedGIS Conference February 24 25, 2016 Washington, DC Questions??? Thank you for your time!
Don t forget to complete your digital session survey Download the Esri Events app!
Please Take Our Survey! Download the Esri Events app and find your event Select the session you attended Scroll down to find the survey Complete Answers and Select Submit
Networking Reception Smithsonian National Museum of the American Indian Thursday, 6:30 p.m. 9:30 p.m. Bus pickup on L Street
Print your customized Certificate of Attendance Print stations located in the 140/150 Concourse