Authentication is the process of verifying who is at the other end of a transmission.

There is a large selection of authentication options available across the enterprise. Common enterprise authentication mechanisms utilize web server, JavaEE container managed, or single-sign-on gateway solutions.

This section provides authentication options for the three primary GIS solution access mechanisms:

  • Web applications
  • Web services
  • Local connections

 

Authentication Options

None

  • Default ArcGIS Server configuration to help ease initial setup. This is not recommended from a security perspective.

ArcGIS Server Local Connections

  • Handled by the operating system's agsusers and agsadmin groups on the SOM server.
  • Once a member of the agsadmin or agsusers group has connected to the server, he or she will have access to all of the services running on the server.
  • Restricting access to some services, but not others, on the same server is only available through Internet connections.
  • If you don't want users to make local connections to your services, you can choose to keep the agsusers group empty.

Web Server Authentication

  • Basic – Client authenticated by using the username and password against a directory. Client credentials transported by Base64 encode string which is literally like clear text and therefore not the most secure option. To improve security the service is authenticated by an SSL certificate and HTTPS is utilized.
  • Digest – Typically not utilized.
  • Integrated Windows Authentication – Can provide a Single-Sign-On experience for Intranet users who have Internet Explorer browsers. Utilizes Kerberos in a domain or NTLM when deployed in a workgroup environment.
  • Certificate – The caller presents an X.509 client certificate that the web server then validates.

JavaEE Container Managed Security

  • Control security of Web Services and Web Applications
  • Basic, Digest, or Forms based login control
  • User interface driven through ArcGIS Server Manager
  • Configure your application container with an appropriate group of users and roles
  • See your JavaEE container documentation on how to setup a group of users and roles

ArcGIS Server Token Service

  • Introduced with ArcGIS Server 9.3
  • Cross Development Platform
  • Cross-API – SOAP & REST
  • Cross-Product – Desktop, Explorer, Web Service and Applications
  • Not SAML Based Tokens
    • Depending on customer feedback/demand ESRI can consider providing an extensible token service that could consume SAML or CAS based tokens.

ArcGIS Forms-based authentication

  • Used for Web Applications
  • Browser users will see a form on a Web page for login

Concurrent Multiple Authentication Method Support

User and Role Storage

When utilizing the ArcGIS Server Security model you have a large variety of data store options to authenticate your users and roles against.

Java

  • Apache Derby (Default)
    • Users, Roles and Permissions may be fully managed within ArcGIS Server Manager
  • External Database
    • Users, Roles and Permissions may be fully managed within ArcGIS Server Manager
    • Existing information in a relational database cannot be utilized
  • LDAP
    • ArcGIS Server Manager has only Read accessto Users and Roles so permissions can be assigned
  • MS-Active Directory
    • ArcGIS Server Manager has only Read access to Users and Roles so permissions can be assigned
  • Custom Principal

.NET

  • Windows Users & Groups (Default)
    • Typical for Local Network users and combined with Windows Integrated Authentication provides an SSO experience for users
    • Users and groups managed by Operating System tools for the local web server accounts or Domain accounts
    • Permissions to services managed by ArcGIS Server Manager
    • Utilizes any of the Web Server Authentication options mentioned above
    • Some customers prefer setting the Active Directory provider depending on requirements, but additional configuration is required
  • SQL Server
    • Users, roles and permissions all managed within ArcGIS Server Manager
  • Custom Providers
    • ASP .Net Active Directory Provider
      • Similar to Windows Users & Groups options, but provides additional implementation options at the expense of significant additional configuration
      • Allows utilization of token service for Web Applications by embedding login UI into a Web page
      • Allows hiding of the domain name (if applicable)
      • Allows access for Anonymous roles
      • Can be utilized in conjunction with MS AZMan for management
      • Role-Based Access Control Using Authorization Manager

 

Filed under: