Authentication & Authorization w/ ArcGIS Max Payson & Kelly Gerrow Authentication: validate users
Authorization: control access to resources Purpose – clarify two questions
How can my solution receive & control access to ArcGIS resources?
How does ArcGIS integrate with my solution’s identity platform? Agenda Authentication & authorization in ArcGIS
Overview
App login
Security model
User login Authentication patterns with ArcGIS Auth in ArcGIS - Overview How does my solution…
Access ArcGIS’ hosted routing service?
Use premium content in the Living Atlas?
Query location data a user maintains in ArcGIS?
Share data from one user to another? Auth Options
App login: access resources on behalf of the app applies to location services & premium content
Named user login: access resources on behalf of a user applies to all services, needed to work with private data How does my solution…
Access ArcGIS’ hosted routing service?
Use premium content in the Living Atlas? App login Query location data a user maintains in ArcGIS?
Upload location data from a user to the cloud? User login Methodologies
OAuth 2.0 | Token-based | PKI | IWA / HTTP Methodologies
OAuth 2.0 | Token-based | PKI | IWA / HTTP
best practice antiquated out of scope Auth in ArcGIS – App Login Notes
Developer receives credentials (protect them!)
Credentials hardcoded for all users (can use proxy)
Restricted to location services, premium data, and public services
Developer pays for services Workflow Demo! Creating a service proxy Auth in ArcGIS – Security Model Users Roles & permissions Groups Sharing & items Viewer Editor Field Worker Creator GIS Professional
ArcGIS
User Viewing Editing Authoring
• ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps Types • Field Apps Bundle • Field Apps Bundle • Field Apps Bundle • Office Apps Bundle • Office Apps Bundle
• ArcGIS Pro
Partner Apps
ArcGIS Online
ArcGIS Enterprise Partner User Lite Basic Standard Types (Viewing) (Editing) (Authoring)
Partner Apps Partner Apps Partner Apps
Esri Apps Esri Apps Bundle (Optional) (Optional) Roles Set of privileges that are assigned to each user.
General Privileges (25) Default Roles - Administrator Members - Publisher Groups - User Content - Data Editor Sharing - Viewer Premium Content Features
Administrative Privileges (28) Members Groups Content Marketplace Organization Settings Roles & User Types
User Role ≠ User Type
User Type = Identity + the apps and capabilities you have access to out of the box.
User Role = Defined by the administrator, which can contain some or all of the User Type’s capabilities. Assigned to members during invitation process. Quick demo! Users & permissions Sharing & items
Share Any Item - Apps, items, maps, scenes, presentations
Control who its shared with – Groups, your organization, the world or no one
Geospatial Cloud
Engage and Interconnect . . . Everyone Sharing & items
Private Sharing & items
Groups Sharing & items Organization Sharing & items Everyone Sharing & items
Collaboration Across Organizations Quick demo! Viewing items Auth in ArcGIS – User Login Notes
User referred to ArcGIS to log in, app receives authorization
App acts on user’s behalf with same roles, permissions, & access
Needed to work with private data or manage items
User’s organization pays for services Workflow - server Workflow - browser Workflow – mobile / native Quick demo! Accessing resources on behalf of a user Authentication Patterns How does my solution…
Know who a user is?
Validate that a user should have access?
Associate a user with an ArcGIS user? How does my solution…
Note, these questions only apply to named-user Know who a user is? logins! Validate that a user should have access?
Associate a user with an ArcGIS user? Patterns
1. Just use ArcGIS (don’t worry about those questions)
2. Connect ArcGIS (allow users to connect their ArcGIS account)
3. Trust ArcGIS (write middleware to authenticate ArcGIS users) Just use ArcGIS
App publicly accessible but (2) Requests w/ access token services secured by ArcGIS
(1) OAuth 2.0 process Marketplace can {”access_token”: “
Use custom identity & access system (5) Requests w/ access token
Allow users to log in with their (1) Custom auth (4) Get ArcGIS token, ArcGIS account (token or session) refresh if needed
(2) OAuth 2.0 server process Store tokens in custom store {”access_token”: “
(3) Associate tokens with user Link ArcGIS With a simple store Trust ArcGIS
Allow users to log in with their (5) Requests w/ access token ArcGIS account
Use ArcGIS OAuth tokens & (4) Issue tokens portal API to validate user and/or session
(1) OAuth 2.0 server process Return custom authorization {”access_token”: “
ArcGIS supports SAML- compliant IDPs (3) Requests w/ access token Log-in initiated by the user & routed through ArcGIS (1) OAuth 2.0 process {”access_token”: “
(2) User redirects to login screen, SAML handshake Thank you! Code? https://github.com/mpayson/presentations Questions? [email protected], [email protected]