Authentication & Authorization W/ Arcgis

Authentication & Authorization w/ ArcGIS Max Payson & Kelly Gerrow Authentication: validate users

Authorization: control access to resources Purpose – clarify two questions

How can my solution receive & control access to ArcGIS resources?

How does ArcGIS integrate with my solution’s identity platform? Agenda Authentication & authorization in ArcGIS

Overview

App login

Security model

User login Authentication patterns with ArcGIS Auth in ArcGIS - Overview How does my solution…

Access ArcGIS’ hosted routing service?

Use premium content in the Living Atlas?

Query location data a user maintains in ArcGIS?

Share data from one user to another? Auth Options

App login: access resources on behalf of the app applies to location services & premium content

Named user login: access resources on behalf of a user applies to all services, needed to work with private data How does my solution…

Access ArcGIS’ hosted routing service?

Use premium content in the Living Atlas? App login Query location data a user maintains in ArcGIS?

Upload location data from a user to the cloud? User login Methodologies

OAuth 2.0 | Token-based | PKI | IWA / HTTP Methodologies

OAuth 2.0 | Token-based | PKI | IWA / HTTP

best practice antiquated out of scope Auth in ArcGIS – App Login Notes

Developer receives credentials (protect them!)

Credentials hardcoded for all users (can use proxy)

Restricted to location services, premium data, and public services

Developer pays for services Workflow Demo! Creating a service proxy Auth in ArcGIS – Security Model Users Roles & permissions Groups Sharing & items Viewer Editor Field Worker Creator GIS Professional

ArcGIS

User Viewing Editing Authoring

• ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps Types • Field Apps Bundle • Field Apps Bundle • Field Apps Bundle • Office Apps Bundle • Office Apps Bundle

• ArcGIS Pro

Partner Apps

ArcGIS Online

ArcGIS Enterprise Partner User Lite Basic Standard Types (Viewing) (Editing) (Authoring)

Partner Apps Partner Apps Partner Apps

Esri Apps Esri Apps Bundle (Optional) (Optional) Roles Set of privileges that are assigned to each user.

General Privileges (25) Default Roles - Administrator Members - Publisher Groups - User Content - Data Editor Sharing - Viewer Premium Content Features

Administrative Privileges (28) Members Groups Content Marketplace Organization Settings Roles & User Types

User Role ≠ User Type

User Type = Identity + the apps and capabilities you have access to out of the box.

User Role = Defined by the administrator, which can contain some or all of the User Type’s capabilities. Assigned to members during invitation process. Quick demo! Users & permissions Sharing & items

Share Any Item - Apps, items, maps, scenes, presentations

Control who its shared with – Groups, your organization, the world or no one

Geospatial Cloud

Engage and Interconnect . . . Everyone Sharing & items

Private Sharing & items

Groups Sharing & items Organization Sharing & items Everyone Sharing & items

Collaboration Across Organizations Quick demo! Viewing items Auth in ArcGIS – User Login Notes

User referred to ArcGIS to log in, app receives authorization

App acts on user’s behalf with same roles, permissions, & access

Needed to work with private data or manage items

User’s organization pays for services Workflow - server Workflow - browser Workflow – mobile / native Quick demo! Accessing resources on behalf of a user Authentication Patterns How does my solution…

Know who a user is?

Validate that a user should have access?

Associate a user with an ArcGIS user? How does my solution…

Note, these questions only apply to named-user Know who a user is? logins! Validate that a user should have access?

Associate a user with an ArcGIS user? Patterns

1. Just use ArcGIS (don’t worry about those questions)

2. Connect ArcGIS (allow users to connect their ArcGIS account)

3. Trust ArcGIS (write middleware to authenticate ArcGIS users) Just use ArcGIS

App publicly accessible but (2) Requests w/ access token services secured by ArcGIS

(1) OAuth 2.0 process Marketplace can {”access_token”: “”…} validate user access Connect ArcGIS

Use custom identity & access system (5) Requests w/ access token

Allow users to log in with their (1) Custom auth (4) Get ArcGIS token, ArcGIS account (token or session) refresh if needed

(2) OAuth 2.0 server process Store tokens in custom store {”access_token”: “”, “refresh_token”: “” …} Only needs to happen once

(3) Associate tokens with user Link ArcGIS With a simple store Trust ArcGIS

Allow users to log in with their (5) Requests w/ access token ArcGIS account

Use ArcGIS OAuth tokens & (4) Issue tokens portal API to validate user and/or session

(1) OAuth 2.0 server process Return custom authorization {”access_token”: “”, “refresh_token”: “” …} * ArcGIS doesn’t support OpenID Connect (2) Get user information from /self (3) Validate user Trust ArcGIS With a simple store What about ArcGIS trusting me?

ArcGIS supports SAML- compliant IDPs (3) Requests w/ access token Log-in initiated by the user & routed through ArcGIS (1) OAuth 2.0 process {”access_token”: “”…} No programmatic approach

(2) User redirects to login screen, SAML handshake Thank you! Code? https://github.com/mpayson/presentations Questions? [email protected], [email protected]