arcgis server and portal for arcgis: an introduction to security
TRANSCRIPT
ArcGIS Server and Portal for ArcGISAn Introduction to Security
Michael Sarhan & Bill Major
February 24–25, 2016 | Washington, DC
FedGIS Conference
Using Portal with ArcGIS Server
Portal Server
Portal and Server: A Tale of Two Security Models
• Portal for ArcGIS- Permissions set by item owner- Can be changed by administrators
• ArcGIS Server- Permissions can be set by any publisher/administrator
Web Services
Portal Items
Web map Web appData
Portal for ArcGIS Access
• Anonymous → Unauthenticated• User → Valid login to access• Role → Grouping of users
- 3 types1. Administrators – Full admin control2. Publishers – Publish web services3. Users – View web services4. Custom Roles
• Identity store → Defines your users
Perm
issi
ons
A
Portal for ArcGIS SecurityIntegrates with Your Enterprise Security Infrastructure
• Authentication - Web tier authentication, including Windows Authentication & PKI- SAML (10.3)- Portal tier authentication combining both built-in and enterprise users (10.3.1)
• Users, Roles, and Groups
Users• Built-in• Enterprise
• Active Directory• LDAP
Roles• Anonymous• User• Publisher• Administrator• Custom roles (10.3)
Groups• Built-in• Enterprise groups
(10.3)
How to Choose Identity Store for Portal for ArcGIS
SAMLWindows
Active Directoryor LDAP
Built-in
If the org has an Identity provider All Internal Users
If the users are mostly External (no IDP)
Supports Web Tier Authentication
SAML – Conceptual Workflow
Portal for ArcGIS
Client
Identity Provider (IDP)3rd party
1. User attempts to login
6. Portal verifiesSAML responseand user is logged in 3. User sends login
credentials to IDP
2. Portal redirectsclient to IDP 4. IDP authenticates user
and sends SAML responseto browser
A
ArcGIS for Server
5. Browser sends SAML response to Portal
Federated
PKI Client Certificate Authentication – Conceptual Workflow
A
Web Server Portal for ArcGIS
ArcGIS Server
Federated
Identity StoreAD or LDAP
1. PresentPKI Certificate
2. Authenticate againstIdentity Store
3. Pass user identitythrough to Portal
4. Get additional userinformation; EnterpriseGroups
Portal for ArcGIS Sharing Model
Item Sharing Options• Everyone – makes items public• Your Portal – only Portal users can search and find items• Groups – Share an item with a group; restricts access to a smaller, more focused
set of people.• Groups and Your Portal or Everyone – share with a larger audience (everyone or
your portal) and also share it with a specific group. This allows you to categorize your item as especially relevant to a particular group while still making it available to others in your organization.
• Can I share a group? Yes!• Can I re-share another user’s item? Yes but only if it is public.
Portal – Server Federation
• Allows a single sign-on (SSO) experience between Portal and Server• Permissions are all managed in Portal• ArcGIS Server site must be HTTPS enabled
When to use:- Desire for SSO user experience
• When NOT to use- When Portal/Server are in different physical locations- Portal and Server are different releases
Portal for ArcGIS Identity store
ArcGIS Server
Portal Tier Authentication
• Portal Takes on Security Role• Must use ArcGIS Web Adaptor• Can use Built-in or Enterprise Users
Portal for ArcGIS
Server directories
Configuration store
Web Server
Web Adaptor
1. Access to Portal
2. Access to Server
A
Client
ArcGIS for ServerIdentity store
Web Tier Authentication
• Web tier takes on Security Role• Must use ArcGIS Web Adaptor• Can use Enterprise Users, PKI, or
custom techniques
Portal for ArcGIS
Server directories
Configuration store
Web Server
Web Adaptor1. Access to Portal
2. Access to Server
A
Client
ArcGIS for ServerIdentity store
Enterprise Groups in Portal for ArcGIS
Windows Active Directoryor LDAP
Exploration Group
Portal for ArcGIS
Enterprise Group: Explore
X X
A
Portal for ArcGISFederation and Enterprise Groups
Other Portal for ArcGIS Security Considerations
• HTTPS Only?- Use CA signed certificates
• Do you want to allow Anonymous access to your Portal?• Should users be able to “Share with Everyone”?
- Custom Roles• Enforce a password policy (Built-in Users only)• Specify Trusted Servers for passing credentials via CORS• Does the default Token expiration times work for your Security folks?• Portal firewall needs: 7080, 7443, 7654, etc.
What’s coming?10.4
10.4 Security Relevant Updates
• Component version refresh (JDK, Tomcat, etc.)• Requires 4.5 .NET Framework on Windows; Microsoft 10 Support• HTTP and HTTPS is now enabled by default on ArcGIS Server• Python script that performs a security check for problems based on the best
practices for configuring a secure environment for ArcGIS Server.• Portal can create groups that allow members to update shared items
A
10.4 Security Relevant Updates
• Portal 10.4 introduces a new security option for federated servers. You can update a federated server to control which portal members have administrative and publisher access to the server.
• Restrict SSL protocols and cipher suites used by Portal’s internal web server• More located here...
A
Summary
• Securing ArcGIS for Server• Authentication• Securing web services• Incorporating Portal for ArcGIS• Enterprise groups• Summary
Questions???Thank you for your time!
February 24–25, 2016 | Washington, DC
FedGIS Conference
Download the Esri Events app!
Don’t forget to complete your digital session survey
Please Take Our Survey!
Select the session you attended
Scroll down to find the survey Complete Answersand Select “Submit”
Download the Esri Events app and find your event
Networking ReceptionSmithsonian National Museum of the American IndianThursday, 6:30 p.m. – 9:30 p.m.Bus pickup on L Street
Print your customized Certificate of AttendancePrint stations located in the 140/150 Concourse