Using LDAP and PKI to secure access to your portal

You can use a public key infrastructure (PKI) to secure access to your portal when using Lightweight Directory Access Protocol (LDAP) to authenticate users.

The following sections explain setting up Portal for ArcGIS and ArcGIS Web Adaptor (Java Platform) to use a PKI. You must complete all the steps and in the order presented here.

These steps assume you have already installed ArcGIS Web Adaptor (Java Platform) and Portal for ArcGIS and configured the Web Adaptor with your portal.

Configuring Portal for ArcGIS to use LDAP users

First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.

Steps:
  1. Sign in to the portal website as the portal administrator.
  2. Click Edit Settings on the My Organization page.
  3. Click Security.
  4. Check Allow access to the portal through SSL only.
  5. Click Save to apply your changes.
NoteNote:

If you'll be adding an ArcGIS Server site to your portal and want to use web-tier authentication with the site, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.

Next, update your portal's identity store to use your organization's LDAP.

Steps:
  1. Log in to the ArcGIS Portal Directory with an account that has administrator privileges. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
  2. Click Security > Config > Update Identity Store.
  3. Place the LDAP configuration JSON in the User store configuration (in JSON format) text box.

    You can copy the following text and alter it to contain the information specific to your site:

    {
      "type": "LDAP",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "uid=admin\,ou=system",
        "userFullnameAttribute": "cn",
        "ldapURLForUsers": "ldap://bar2:10389/ou=users\,ou=ags\,dc=example\,dc=com",
        "userEmailAttribute": "mail",
        "usernameAttribute": "cn",
        "caseSensitive": "false",
        "userSearchAttribute": "dn"
      }
    }

    In most cases, you will only need to alter values for the userSearchAttribute, user, userPassword, and ldapURLForUsers parameters. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute to match the Subject parameter in the PKI certificate.

    The URL to your LDAP will need to be provided by your LDAP administrator. The account you use for the user parameter needs permissions to look up the email address and user names of users in your organization. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed.

  4. When you have finished entering the JSON for the user store configuration, click Update Configuration to save your changes.

    When you click Update Configuration, your portal will restart automatically. This may take a few minutes to complete.

Set up PKI authentication on your portal's Web Adaptor

LDAP requires web-tier authentication and this must be done with ArcGIS Web Adaptor (Java Platform). The Web Adaptor relies on the Java application server to authenticate the user and provide the Web Adaptor with the account name of the user. Once it has the account name, it passes that to the portal.

Once you've installed and configured the Web Adaptor (Java Platform) with your portal, you'll need to configure an LDAP realm on your Java application server and configure PKI based client certificate based authentication for the Web Adaptor. For instructions, consult the product documentation for your Java application server or consult your system administrator.

If you'll be adding an ArcGIS Server site to your portal and want to use PKI with the server, such as LDAP, you'll need to disable web-tier authentication on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.

Designate an LDAP account as an administrator

How you add an LDAP account to your portal will depend on whether your portal is configured to add enterprise logins to the portal automatically when people sign in or if accounts must be added from the ArcGIS Portal Directory. For information on this setting, see Configuring account creation.

If your portal is configured to add enterprise accounts automatically, open the portal website home page while logged in with the LDAP account you want to use as the portal administrator. Depending on your browser and settings, you may be prompted to sign in.

If you manually register accounts for enterprise users

If your portal is configured so that you must add accounts using the CreateUsers tool, follow the instructions in Adding members to your portal to add the LDAP account as your portal administrator. Be sure to choose the Administrator role when registering the enterprise account.

If accounts are automatically registered for enterprise users

If your portal is configured so that enterprise accounts are registered with the portal the first time they access the portal, you'll need to access the portal with the LDAP account to register it with the portal, then sign in to the portal with the initial administrator account and assign the LDAP user to the Administrator role.

When an account is first added to the portal, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign an LDAP account to the Administrator role. Since your Web Adaptor is set for LDAP authentication, you must connect to the portal through port 7443 rather than the Web Adaptor URL to sign in using the initial administrator account.

Steps:
  1. Connect to the portal website while logged in to your computer with the LDAP account. If this account belongs to someone else, have that user connect to the portal so their account will be registered with the portal.
  2. Once the LDAP account has been added to the portal, open a browser and connect to your portal website through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
  3. Sign in using the initial administrator account you created when you first set up your portal.
  4. For the LDAP account you will use to administer your portal, change the role to Administrator.
  5. Sign out of the website.

When you are logged in to your computer with this LDAP account, you will be able connect to your portal through the Web Adaptor URL and administer the portal.

Demote or delete the initial administrator account

Now that you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Prevent users from creating their own accounts

After you've secured access to your portal, you can disable the Create an account button and sign-up page (signup.html) in the portal website so that people cannot create their own accounts. This means all members sign in to the portal with their enterprise credentials, and unnecessary member accounts cannot be created.

Follow these steps to prevent users from creating their own accounts:

Steps:
  1. Browse to <Portal for ArcGIS installation directory>\customizations\10.2.2\webapps\arcgis#home\js\esri\arcgisonline and open config.js in a text editor.
  2. Locate the showSignUp property and specify the value as false.
  3. Save and close the file.
  4. To apply your edits, restart your portal.
  5. After the portal restarts, clear your browser's cache (including cookies) to see the changes in the portal website.
5/5/2015