Adding secured services

ArcGIS Viewer for Silverlight allows you to add secure services from ArcGIS for Server and ArcGIS Online. You can access secure services by providing a user name and password (either OAuth or token-based authentication), or by using a proxy configured to include the required credentials. When using a user name and password, the Viewer allows you to sign in to multiple ArcGIS Servers using one or more accounts.

Add secure services with a user name and password

When browsing to add layers to the map, you can easily sign in to access secure services. When you sign in, the Viewer will automatically use the credentials specified to authenticate against the specified ArcGIS Server endpoint. Then all the services that the specified user account has access to will be shown in the Browse panel.

Use token-based authentication

ArcGIS for Server provides a proprietary token-based authentication mechanism where users can authenticate themselves by providing a token. An ArcGIS token is a string of encrypted information created by the user using an authenticated user name and password. The token contains the user's name, the token expiration time, and some proprietary information. To obtain a token, a user provides a valid user name and password. ArcGIS Server verifies the supplied credentials and issues a token that is stored with your Viewer app. The app presents this token whenever accessing a secured resource.

Specific steps for accessing secure services using this approach are provided in the following instructions.

  1. Click the Browse button on the Map tab to open the Browse panel. Enter the URL to the desired service. If you have entered a URL to an ArcGIS for Server instance that contains secure services, you will see a link on the Browse panel sign into those secure services:
    Secured sign in on Browse dialog
    NoteNote:

    For further information on browsing to services, refer to the Browsing ArcGIS Server topic.

  2. Click the Sign in to access secure services link. You will be prompted to sign in:
    Sign in dialog for ArcGIS Token authentication
  3. Specify your user name and password and click Sign In. If the log-in is accepted, the Browse panel will refresh and the all the services that the specified account has access to will be shown.
    NoteNote:

    When using ArcGIS Token authentication, the user name and password provided by the user are handled by your app and passed to the server to generate a token. This contrasts with OAuth authentication, which is described in a following section, in which your app never directly handles user login information. For some use cases, handling the login information in the app may provide a security concern for users.

  4. In the Browse panel, select the desired service or layer and click Add Selected Layer.

You can also sign into ArcGIS Server or ArcGIS Online independently of the Browse panel. If you sign in using this approach, services that can be accessed with the specified account will be displayed in the Browse panel without needing to sign in again.

The following steps describe how to sign in using this approach.

  1. In the Application Builder, click the Sign In link in the upper right corner of the Application Builder. A drop-down list appears with options to sign in to ArcGIS Online and ArcGIS Server. Once you have signed in to ArcGIS Online or ArcGIS Server, your login name will appear as the title of the Sign in menu. You will also now have an additional option to Sign Out.
    Secure sign in drop-down menu
    TipTip:

    If you sign in to one service endpoint (e.g. http://serverA/arcgis/rest/services) with a user name and password that is also valid for another service endpoint (e.g. http://serverB/arcgis/rest/services), you will not have to sign in again when connecting to the second service endpoint. The application will automatically use the account you specified.

  2. Click one of the sign in links. A dialog box will appear prompting you to enter your credentials. Type your user name and password. If you are accessing an ArcGIS Server endpoint, also type the URL of the ArcGIS Server to which you want to connect. Then click Sign In.
    • ArcGIS Online Sign In dialog box:
      ArcGIS Online Sign In dialog box
      TipTip:

      The URL of the ArcGIS Online or Portal for ArcGIS endpoint to sign in to is specified on the Settings page. For further information, see the Application Builder Settings help topic.

    • ArcGIS Server Sign In dialog box:
      ArcGIS Server Sign In dialog box
  3. Once you have signed in, you can use the Browse panel to add secure services from the endpoint with which you have authenticated.
    TipTip:

    To add ArcGIS Online hosted services, you must specify the full URL to the map service or layer within the service that you wish to add (e.g. http://tiles.arcgis.com/tiles/abCdefGhIJKlMNo1/arcgis/rest/services/MyHostedService/MapServer). You can find this URL under the Map Contents heading on the item's page in ArcGIS Online.

Use OAuth authentication

From the user's perspective, there is not much difference between the login experience provided by ArcGIS token authentication and OAuth. In both cases, the user is presented with a dialog that prompts for user name and password when access to a secured resource is attempted or when logging in to ArcGIS Online or a portal. The only difference your user might notice is the login prompt comes from ArcGIS Online as a Web page rather than the built-in login dialog from the Viewer app. Behind the scenes, these authentication methods differ by how the user's login information is handled.

In ArcGIS token based authentication, a user enters a user name and password into a dialog provided by the app. In other words, the app handles this information directly and therefore has access to the login information. When using OAuth, the login dialog is presented by the server with which the user is authenticating (as a separate web page). When the user authenticates successfully, the server will send a confirmation response containing an access token (similar to an ArcGIS token) that your app can use to access secured resources on behalf of the authenticated user. Likewise, if the user is unable to log in or dismisses the dialog, your application will be notified that authentication was not successful. In either case, the app never handles the user name and password that were provided.

Setting up OAuth authentication requires the following general steps.

Create an ArcGIS Online application

An application stored with your ArcGIS Online organization is not an application per se. It is an item that provides information about an application. Some of the information described in an ArcGIS Online application item is used by OAuth to authenticate users for the app. To use OAuth, your application must define an App ID, App Secret, and a collection of (at least one) Redirect URIs.

Follow these steps to create an ArcGIS Online application

  1. Log on to ArcGIS Online.
  2. Click the My Content link at the top of the page.
  3. Choose Add Item. Specify that the item is An application and provide a Title and Tags as shown in the following image. When finished, click Add Item.
    Add ArcGIS Online application item
  4. In the page for your new item, click Edit.
    ArcGIS Online item page
  5. In the item details page, scroll to the App Registration section and click Update.
    Update application properties
  6. In the Registered Info dialog, make note of the App ID by copying it to your clipboard or pasting it into a text editor.
  7. Add the proper redirect URIs for use with your app. These should point to the machine that will host your Viewer apps. Click Update when finished.
    Adding a redirect URL for use with the app
    NoteNote:

    The existing redirect URI (urn:ietf:wg:oauth:2.0:oob) is a special value that signals the OAuth server that the authorization response should be returned in the title bar of the broswer and in the text of the response page. This URI will not work with an ArcGIS Silverlight Viewer app. Instead, you need to add at least one URI that point to the server hosting your app. If more that one server will be hosting the app (or it will be accessed from several URIs), you can add multiple redirect values.

  8. Click Save in the item page when finished.

Set the App ID

After creating an ArcGIS Online application and assigning the proper redirect URI(s), you must associate the app with your Silverlight Viewer app to access secured services. Use the following steps to define an App ID for use by your Viewer app.

  1. In the Application Builder, click the Settings link in the upper right corner.
  2. Click the Application Settings tab.
    NoteNote:

    For more information about configuring settings in the Application Builder, refer to Application Builder Settings.

  3. Copy the App ID from your ArcGIS Online application into the App ID text box in the settings panel.
    TipTip:

    You can define the App ID in the Default Settings if all (or most) of your apps will use this portal. Otherwise, define the App ID only for this specific app.

    Defining an App ID in Application Settings
  4. Click Apply when finished, then close the settings page by clicking the back button in the upper right corner.

Sign in

If an App ID has been defined for your Viewer app, all login attempts will be handled using OAuth authentication. If the App ID is not present, ArcGIS Tokens authentication is used instead.

  1. In the Application Builder, click the Sign In menu, then choose Sign in to ArcGIS Online.
  2. A new browser window will open and you will be prompted to login to ArcGIS Online.
    OAuth login window from ArcGIS Online
  3. Enter a user name and password that are valid for the organization hosting the ArcGIS Online application. Click the Sign In button on the page.

After successfully authenticating, you can now add any secured services from your ArcGIS Online organization to which the logged in user has access. If you need to access additional secured services from another portal, you will be prompted using ArcGIS Tokens authentication.

When deploying your app, your users will see the same prompt when lauching the Viewer. They will only be able to view the secured content if they provide valid credentials.

Add secure map services using a proxy

Secured map services can be added to ArcGIS Viewer for Silverlight via a proxy URL. Web requests are redirected through the proxy, which is responsible for authenticating with the service endpoint. Once you have configured your proxy pages as shown in the Configuring a proxy topic, you can access secured services. To use the proxy in your application, follow the steps below.

  1. In the Application Builder, click the Settings link in the upper right corner.
  2. Click the Application Settings tab.
    NoteNote:

    For more information about configuring settings in the Application Builder, refer to Application Builder Settings.

  3. Type the URL to the proxy page in the Proxy text box under the Current Application Settings heading. The proxy will be shared by all layers in the application that use a secured service.
    Proxy setting in the Application Builder Settings window
    TipTip:

    To specify a default proxy for all new applications, enter a proxy URL into the Proxy text box under the Default Settings heading.

  4. Close the settings page by clicking the back button in the upper right corner.
  5. In the Browse panel, check the Use Proxy check box. Then browse to the service you wish to add (for further information see the Browsing ArcGIS Server topic). All of the layers you add will use the defined proxy.
    Use Proxy checkbox

CautionCaution:

Make sure to add a layer using a proxy only when required. All layers added while Use Proxy is checked will have requests for their data routed through the proxy server.

1/26/2015