Using your portal with LDAP and web-tier authentication
You can configure your portal to use the same Lightweight Directory Access Protocol (LDAP) that your organization uses for authenticating users. In order to use LDAP with your portal, you'll need to do the following:
- Configure your portal with the LDAP used in your organization.
- Set up web-tier authentication on your portal's Web Adaptor.
- Grant one of your LDAP users administrator privileges to the portal.
To get started, follow the steps in the sections below.
Configure your portal with LDAP
First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.
- Sign in to the portal website as the portal administrator.
- Click Edit Settings on the My Organization page.
- Click Security.
- Check Allow access to the portal through SSL only.
- Click Save to apply your changes.
Next, update your portal's identity store to use your organization's LDAP. To do this, you'll need to edit some properties in the portal-config.properties file, as described below.
- On the machine hosting Portal for ArcGIS, browse to <Portal for ArcGIS installation directory\etc on Windows and open the portal-config.properties file in a text editor using the Run As Administrator option. On Linux, browse to <Portal for ArcGIS installation directory/etc and open the file in a text editor.
-
Uncomment the following lines found under the IDP section of the file by removing the pound signs (#) at the beginning of each line:
#idp.type= #idp.ldap.user= #idp.ldap.userpassword= #idp.userpassword.encrypted= #idp.ldap.url= #idp.ldap.usernameattribute= #idp.ldap.user.fullnameattribute= #idp.ldap.user.emailattribute= - Set the following values for these entries:
Set idp.type to LDAP.
Set idp.ldap.user and idp.ldap.userpassword to a user within your LDAP. The portal will use this user to look up authenticated users and determine their full names and email addresses so their profiles are correctly populated. When you provide the password, you will enter it clear text. However, after you restart the portal at the end of this topic, the password will be encrypted and won't be displayed in clear text.
Note:If the account name or password contains dot (.), comma (,), or backslash (\) characters, you must place a backslash in front of each character. The backslash serves as an escape character.
Change the idp.userpassword.encrypted to false. By setting this to false, the portal will automatically encrypt the password the next time it restarts. After the portal restarts, it will set this value to true automatically.
Set idp.ldap.url to the location in your LDAP tree where your users reside. The URL is likely to be different for each organization, so you will need someone in your organization to provide it.
Set idp.ldap.usernameattribute to the attribute in your LDAP schema that uniquely identifies users. This is often uid or cn, but it can be other values as well. Contact your LDAP administrator for the appropriate value.
Set idp.ldap.user.fullnameattribute to be the LDAP attribute that contains the full names of users, for example, John Doe. This value is used to correctly populate the full names of users in each member profile in the portal. Contact your LDAP administrator for the appropriate value.
Set idp.ldap.user.emailattribute to be the LDAP attribute that contains the email addresses of users. This value is used to correctly populate the email addresses of users in each member profile in the portal. Contact your LDAP administrator for the appropriate value. If this value is not provided, member accounts in the portal will not include the user's email address.
The following are example settings for LDAP:
idp.type=LDAP idp.ldap.user=uid=admin\,ou=system idp.ldap.userpassword=secret idp.userpassword.encrypted=false idp.ldap.url=ldap://bar2:10389/ou=users\,ou=ags\,dc=example\,dc=com idp.ldap.usernameattribute=cn idp.ldap.user.fullnameattribute=cn idp.ldap.user.emailattribute=email - Save and close the portal-config.properties file.
- Stop and then start the portal. You can do this from a command prompt or, on Windows operating systems, from the Windows Services interface. For more information, see Stopping and starting the portal.
Set up web-tier authentication on your portal's Web Adaptor
LDAP requires web-tier authentication and this must be done with the ArcGIS Web Adaptor (Java Platform). The Web Adaptor relies on the Java application server to authenticate the user and provide the Web Adaptor with the account name of the user. Once it has the account name, it passes that to the portal.
Once you've installed and configured the Web Adaptor with your portal, you'll need to configure an LDAP realm on your Java application server and configure the authentication method for the Web Adaptor. For instructions, consult the product documentation for your Java application server or consult your system administrator.
Designate an LDAP account as an administrator
To add your account to the portal, open the portal website home page while logged in with the LDAP account. Depending on your browser and settings, you may be prompted to sign in, or you will be signed in automatically.
When an account is first added to the portal, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign an LDAP account to the Administrator role. Since your Web Adaptor is set for LDAP authentication, you must connect to the portal through port 7443 rather than the Web Adaptor URL to sign in using the initial administrator account.
- Open a browser and connect to your portal website through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
- Sign in using the initial administrator account you created when you first set up your portal.
- For the LDAP account you will use to administer your portal, change the role to Administrator.
- Sign out of the website.
When you are logged in to your computer with this LDAP account, you can now connect to your portal through the Web Adaptor URL and administer the portal. Now that you have an alternate administrator, you can assign the initial administrator account to the User role or delete the account.
Note:If you'll be adding an ArcGIS Server site to your portal and want to use web-tier authentication with the server, such as Integrated Windows Authentication (IWA), you'll need to disable web-tier authentication on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.
Disable users from creating their own accounts
After you've secured access to your portal, configure your portal so that users are prevented from creating their own accounts. This allows you to force users to sign in with their enterprise credentials and prevents unnecessary members from being created. The way you do this is by modifying a property in the config.js.bak file which disables the Create an account button and sign-up page (signup.html) in the portal website:
- Browse to <Portal for ArcGIS installation directory>\webapps\arcgis#home\js\esri\arcgisonline and open config.js.bak in a text editor.
- Locate the showSignUp property and specify the value as false.
- Save and close the file.
- To apply your edits, restart your portal.
- After the portal restarts, clear your browser's cache to see the changes in the portal website.