ArcGIS Online and Portal for ArcGIS
Because the following information applies equally to ArcGIS Online and Portal for ArcGIS, only ArcGIS Online is referred for better readability. |
ArcGIS Online can be used as user administration for map.apps. This means that a user can log in to map.apps with an ArcGIS Online account. Groups and roles of an ArcGIS Online user are translated into roles for map.apps. Connecting to ArcGIS Online creates the following possibilities:
-
Assignment of roles for the use of map.apps Manager
-
Protection of apps
-
Protection of tools
-
Use of non-public content such as webmaps or layers without re-registration (single sign-on)
Restrictions
|
Configuration of the connection
The following parameters must be added or changed in map.apps Configuration.
security.integrated.agol.enabled
-
Activates the ArcGIS Online user administration. Possible values are
true
orfalse
. The default value isfalse
.The preconfigured users admin
andeditor
can still be used. security.integrated.agol.organization
-
This value contains the domain name of the ArcGIS Online organization. The default value is
www.arcgis.com
. If the value is set to an organization, registrations are only possible for users of this organization. security.integrated.agol.expirationInMinutes
-
This value defines the lifetime of the token, which is retrieved with the login at ArcGIS Online. The default value is
60
(1 hour). This value influences the time after which a new login is necessary if protected resources are used by ArcGIS Online. security.integrated.agol.tokenreferer=<mapapps basis url>
-
Here the external base URL of the map.apps installation must be specified, for example
https://<yourserver>/mapapps
. If the value does not match the URL in the user’s browser, the token generated by ArcGIS Online is not applicable and no protected resources can be queried, even if the actual login is successful.
The configuration might look like this:
security.integrated.agol.enabled=true
security.integrated.agol.organization=myorg.maps.arcgis.com
security.integrated.agol.tokenreferer=https://<yourserver>/mapapps
Use of ArcGIS Online properties as roles in map.apps
Automatic assignment
Roles
ArcGIS Online roles are translated by default as follows:
ArcGIS Online role | map.apps role | Description |
---|---|---|
|
|
ArcGIS Online administrators become map.apps administrators. |
|
|
ArcGIS Online publishers become map.apps editors. |
All other roles are taken over by ArcGIS Online without changes, for example org_user
.
Groups
ArcGIS Online groups consist of an ID, a title and an owner.
Because the ID of a group is not directly visible in ArcGIS Online and assignment is therefore difficult, a group is translated by default into a map.apps role in the form <Title>::<Owner>
.
ArcGIS Online group | map.apps role |
---|---|
Forest (ID: a24534, Owner: user1) |
Forest::user1 |
Water (ID: a345b4, Owner: user2) |
Water::user2 |
Adjustment of the assignment
The way ArcGIS Online roles, groups and organizations are translated into map.apps roles can be customized in the spring-security-agol-config.xml
file.
The entry agolRoleMapping
has to be edited.
<util:map id="agolRoleMapping">
<!-- ArcGIS Online administrator becomes map.apps administrator -->
<entry key="org_admin" value="maAdmin"/>
<!-- ArcGIS Online publisher becomes map.apps editor -->
<entry key="org_publisher" value="maEditor"/>
<!-- ArcGIS Online user gets "user" role in map.apps -->
<entry key="org_user" value="user"/>
</util:map>
<util:map id="agolRoleMapping">
<!-- ArcGIS group "Test" with ID "Q123469" and owner "exception" becomes role "TestUser" in map.apps -->
<entry key="Q123469" value="TestUser"/>
<!-- Alternatively, the default mapping can be used -->
<entry key="auser@@Test" value="TestUser"/>
</util:map>
<util:map id="agolRoleMapping">
<!-- ArcGIS organization "myorganization.maps.arcgis.com" becomes role "MyOrganization" in map.apps -->
<entry key="myorganization.maps.arcgis.com" value="MyOrganization"/>
</util:map>
Restrict login to users of certain organizations
To restrict the ArcGIS Online registration to certain organisations, the following options are available:
-
Configuration of the parameter
security.integrated.agol.organization
with the domain name of a specific organization -
Change the configuration in the
spring-security-agol-config.xml
file. The entryagolAllowedOrganizations
must be edited.
<util:set id="agolAllowedOrganizations">
<!-- Add concrete domain names -->
<value>myorga.maps.arcgis.com</value>
</util:set>
Consume protected webmaps and services
ArcGIS Online user authentication
If a protected resource (for example webmap) is requested from ArcGIS Online, an authentication dialog is opened, where users can enter their ArcGIS Online credentials.
Following configuration options are available to change the mechanism.
client.config.allowCredentialsOverHTTP
-
Defines that authentication credentials are allowed to be transported over HTTP connections. Possible values are
true
orfalse
. In the case of ArcGIS Online only HTTPS is used. Set this parameter totrue
, to request a protected ArcGIS Server that only supports HTTP. client.config.persistIdentityManagerState
-
Defines that the state of the JavaScript object esri/IdentityManager is made persistent within the browser. Only tokens are saved, not the users credentials. With this option set to
true
a users is authenticated as long as the tokens are valid. esri.api.arcgisPortalUrl
-
Defines the base URL of ArcGIS Online or the central ArcGIS Portal installation. The default value is //www.arcgis.com. The value can be changed to an ArcGIS Online organization sub domain URL. This is important if OAuth is used or if the ArcGIS Online organization has configured an enterprise login, because in this case an organization specific authentication dialog is shown.
OAuth
A modification of the ArcGIS Online authentication mechanism is the use of the OAuth2 protocol. The user is redirected to a central authentication page of ArcGIS Online, instead of showing an app specific authentication dialog. The precondition for using this protocol is the registration of the map.apps app in ArcGIS Online.
During the App registration a redirect URL is required. The following two options are possible. It is allowed to register both at a time.
// Popup Modus
https://<server>:<port>/<mapapps_context>/account/oauth-callback.html
// Browser Redirect Modus -> URL der App index.html
https://<server>:<port>/<mapapps_context>/resources/apps/<appname>/index.html
As a result of a successful registration, the app gains an "App-ID".
To activate OAuth, the following parameters have to be configured in the "properties" section of the app configuration:
"oauthEnabled": true
-
Activates the OAuth support.
"oauthAppId": "<app-ID>"
-
This is the App ID created during the registration of the app at ArcGIS Online.
"oauthUsePopup": false
-
This property is optional. The default value is
false
. It defines that the authentication process shows a popup window instead of redirecting the main browser window. The user’s browser might block popup windows. "arcgisPortalUrl": "<organistations url>"
-
This property is optional. The value overwrites the global configuration parameter
esri.api.arcgisPortalUrl
. If the value points to an ArcGIS Online Organization, a organization specific authentication dialog is shown.
The parameters can be edited in the manual configuration.
Additionally it is necessary to add the following bundles to the app, to enforce OAuth when using the map.apps:
-
agolauthn
-
authentication
-
forcelogin