Connecting ArcGIS Online

Using the OAuth 2.0 protocol, the Identity Service can delegate the authentication of users to ArcGIS Online. This means that a user can log in with an ArcGIS Online account.

Connecting to ArcGIS Online is done in several steps:
First you register the Identity Service as an application in ArcGIS Online. Then you adjust the configuration of the Identity Service so that the login can be delegated to ArcGIS Online. Finally you check the configuration using the Identity Service to log in to ArcGIS Online.

Step 1: Register Identity Service

The Identity Service must be registered as an application in ArcGIS Online to use the single sign-on. To do this, perform the following steps:

  1. Login to ArcGIS Online.

  2. Switch to the Content tab.

  3. Click New item and in the subsequent dialog click Application.

  4. A dialog for creating the new element is displayed. Use the following settings there:

    • Type: Web Mapping.

    • URL: URL of the Identity Service installation, for example https://www.example.com/identity

  5. Click Next.

  6. Now set the other properties of the element as follows:

    • Title: Identity Service

    • Folder: Select the folder where you want to save the item.

    • Categories (optional): You can set one or more categories for the element.

    • Tags: identity

    • Summary (optional): You can create a summary for the element, for example: Registration of Identity Service at ArcGIS Online

  7. Click Save. The overview of the newly created element is displayed.

  8. Set additional registration properties by proceeding as follows:

    • In the app overview click Settings and go to section Web Mapping Application.

    • Click Register application.

    • Specify the URL of your Identity Service installation as the Redirect URLs, for example https://www.example.com/identity.

    • Click Add to add the URI to the list of valid redirect URIs.

    • Select Browser as application environment.

    • Click Register to close the dialog.

  9. After you have successfully registered the application, its registration data will be displayed, which you will need for the subsequent configuration:

    • Store the displayed Client ID somewhere.

    • Click on the button with the eye icon to display the Client Secret. You need to remember this one as well.

      app secrets en

The registration is complete and you can proceed with the configuration of the Identity Service.

Step 2: Configure Identity Service

The following parameters must be added or changed in the global Configuration.

Configuration example for application.properties
# application.properties
security.oauth.provider=arcgis
security.oauth.provider.arcgis.url=https://myorganization.maps.arcgis.com
security.oauth.tokenRules=https://myorganization.maps.arcgis.com,TOKEN;https://services.arcgis.com/<organization-id>/arcgis,TOKEN;
Configuration example for secrets.properties
# secrets.properties
security.oauth.clientId=6nyEFYqYSYtu60Ws
security.oauth.clientSecret=fb3e3425976e4980a1793cbe6231f4b6
security.oauth.provider

The value arcgis defines ArcGIS Online as identity provider.

security.oauth.provider.arcgis.url

URL of your ArcGIS Online organization.

security.oauth.tokenRules

URL of ArcGIS Online and ArcGIS Online Services endpoint, with TOKEN as transport type. See also Configure trusted services.

security.oauth.clientId

Client ID that has been created during the registration as an application in ArcGIS Online.

security.oauth.clientSecret

Client Secret that has been created during the registration as an application in ArcGIS Online.

Allow logins for multiple organizations

To allow logins to users of more than one organization, please set security.oauth.provider.arcgis.url to https://www.arcgis.com and additionally configure the parameter security.oauth.provider.arcgis.organizations as described in the following example:

Configuration example
# .identity-service/application.properties
security.oauth.provider.arcgis.url=https://www.arcgis.com
security.oauth.provider.arcgis.organizations=myorganization.maps.arcgis.com,otherorg.maps.arcgis.com

List all organizations separated by commas.

Step 3: Test configuration

You can test the configuration of ArcGIS Online as identity provider by performing a login initiated by the Identity Service. Follow these steps:

  1. Make sure you have an ArcGIS Online user account

  2. If you are logged in to ArcGIS Online, log out.

  3. Open the Identity Service base URL, http://www.example.com/identity or http://www.example.com:8080/identity, for example. Make sure to use the exact same URL that you specified as Redirect URI when registering the Identity Service at ArcGIS Online in step 1 of this document.

    The browser displays a page with a list of available service endpoints:

    installation check 01

  4. Click the link titled Login. The browser will redirect you to the ArcGIS Online login page.

  5. Enter username and password of your ArcGIS Online account to login.

After successful login you are redirected to the Identity Service "Self" endpoint (/identity/account/self). If your ArcGIS Online account data is displayed as JSON, you successfully connected ArcGIS Online with the Identity Service.

Step 4: Customize role mapping (optional)

When connecting other con terra Technologies products with the Identity Service, you may need to ensure that authenticated users have certain roles to access the product features. Please refer to the respective product documentation to find out which roles are required.

In the article about role mapping, you will find more information about how roles and groups in ArcGIS Online are translated into Identity Service roles and how you can customize this if needed.

Next steps

After you have connected ArcGIS Online with the Identity Service, you need to configure the services of your ArcGIS Online organization as trusted services in the Identity Service. This allows users of applications that use the Identity Service to access services of your organization without further login.