Authentication & Authorization w/ ArcGIS Max Payson & Kelly Gerrow Authentication: validate users Authorization: control access to resources Purpose – clarify two questions How can my solution receive & control access to ArcGIS resources? How does ArcGIS integrate with my solution’s identity platform? Agenda Authentication & authorization in ArcGIS Overview App login Security model User login Authentication patterns with ArcGIS Auth in ArcGIS - Overview How does my solution… Access ArcGIS’ hosted routing service? Use premium content in the Living Atlas? Query location data a user maintains in ArcGIS? Share data from one user to another? Auth Options App login: access resources on behalf of the app applies to location services & premium content Named user login: access resources on behalf of a user applies to all services, needed to work with private data How does my solution… Access ArcGIS’ hosted routing service? Use premium content in the Living Atlas? App login Query location data a user maintains in ArcGIS? Upload location data from a user to the cloud? User login Methodologies OAuth 2.0 | Token-based | PKI | IWA / HTTP Methodologies OAuth 2.0 | Token-based | PKI | IWA / HTTP best practice antiquated out of scope Auth in ArcGIS – App Login Notes Developer receives credentials (protect them!) Credentials hardcoded for all users (can use proxy) Restricted to location services, premium data, and public services Developer pays for services Workflow Demo! Creating a service proxy Auth in ArcGIS – Security Model Users Roles & permissions Groups Sharing & items Viewer Editor Field Worker Creator GIS Professional ArcGIS User Viewing Editing Authoring • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps • ArcGIS Essential Apps Types • Field Apps Bundle • Field Apps Bundle • Field Apps Bundle • Office Apps Bundle • Office Apps Bundle • ArcGIS Pro Partner Apps ArcGIS Online ArcGIS Enterprise Partner User Lite Basic Standard Types (Viewing) (Editing) (Authoring) Partner Apps Partner Apps Partner Apps Esri Apps Esri Apps Bundle (Optional) (Optional) Roles Set of privileges that are assigned to each user. General Privileges (25) Default Roles - Administrator Members - Publisher Groups - User Content - Data Editor Sharing - Viewer Premium Content Features Administrative Privileges (28) Members Groups Content Marketplace Organization Settings Roles & User Types User Role ≠ User Type User Type = Identity + the apps and capabilities you have access to out of the box. User Role = Defined by the administrator, which can contain some or all of the User Type’s capabilities. Assigned to members during invitation process. Quick demo! Users & permissions Sharing & items Share Any Item - Apps, items, maps, scenes, presentations Control who its shared with – Groups, your organization, the world or no one Geospatial Cloud Engage and Interconnect . Everyone Sharing & items Private Sharing & items Groups Sharing & items Organization Sharing & items Everyone Sharing & items Collaboration Across Organizations Quick demo! Viewing items Auth in ArcGIS – User Login Notes User referred to ArcGIS to log in, app receives authorization App acts on user’s behalf with same roles, permissions, & access Needed to work with private data or manage items User’s organization pays for services Workflow - server Workflow - browser Workflow – mobile / native Quick demo! Accessing resources on behalf of a user Authentication Patterns How does my solution… Know who a user is? Validate that a user should have access? Associate a user with an ArcGIS user? How does my solution… Note, these questions only apply to named-user Know who a user is? logins! Validate that a user should have access? Associate a user with an ArcGIS user? Patterns 1. Just use ArcGIS (don’t worry about those questions) 2. Connect ArcGIS (allow users to connect their ArcGIS account) 3. Trust ArcGIS (write middleware to authenticate ArcGIS users) Just use ArcGIS App publicly accessible but (2) Requests w/ access token services secured by ArcGIS (1) OAuth 2.0 process Marketplace can {”access_token”: “<token>”…} validate user access Connect ArcGIS Use custom identity & access system (5) Requests w/ access token Allow users to log in with their (1) Custom auth (4) Get ArcGIS token, ArcGIS account (token or session) refresh if needed (2) OAuth 2.0 server process Store tokens in custom store {”access_token”: “<token>”, “refresh_token”: “<token>” …} Only needs to happen once (3) Associate tokens with user Link ArcGIS With a simple store Trust ArcGIS Allow users to log in with their (5) Requests w/ access token ArcGIS account Use ArcGIS OAuth tokens & (4) Issue tokens portal API to validate user and/or session (1) OAuth 2.0 server process Return custom authorization {”access_token”: “<token>”, “refresh_token”: “<token>” …} * ArcGIS doesn’t support OpenID Connect (2) Get user information from /self (3) Validate user Trust ArcGIS With a simple store What about ArcGIS trusting me? ArcGIS supports SAML- compliant IDPs (3) Requests w/ access token Log-in initiated by the user & routed through ArcGIS (1) OAuth 2.0 process {”access_token”: “<token>”…} No programmatic approach (2) User redirects to login screen, SAML handshake Thank you! Code? https://github.com/mpayson/presentations Questions? [email protected], [email protected].