ArcGIS Online
Using the con terra Technologies Identity Service, map.apps can delegate the authentication of users to ArcGIS Online. This means that a user can log in to map.apps with an ArcGIS Online account. Groups and roles of the ArcGIS Online user are translated into roles for map.apps.
Connecting to ArcGIS Online creates the following possibilities:
-
Assignment of roles for the use of map.apps Manager
-
Protection of apps
-
Protection of tools
-
Use of non-public content such as webmaps or layers without re-registration (single sign-on)
Connecting to ArcGIS Online has the following limitations:
-
Apps exported with the app export for native apps do not support the authentication. Apps with anonymous access are still supported.
Create connection between map.apps and ArcGIS Online
Connecting map.apps with ArcGIS Online is done in two steps.
Step 1: Install and configure the Identity Service
In this step you will install and configure the Identity Service as a separate web application. Follow these steps of the Identity Service documentation:
-
Install the Identity Service.
-
Connect the Identity Service to ArcGIS Online.
-
Configure map.apps as trusted service at the Identity Service.
-
Configure services of your organization in ArcGIS Online as trusted services at the Identity Service.
Step 2: Configure map.apps
To enable authentication delegation, add or replace the following parameters in the global configuration.
security.mode=IDENTITY
security.login.base=https://identityservice.example.com/identity
esri.api.arcgisPortalUrl=https://myorg.maps.arcgis.com
security.mode
-
The
IDENTITY
value specifies that authentication should be delegated via the Identity Service. security.login.base
-
Base URL of the Identity Service.
esri.api.arcgisPortalUrl
-
URL to the ArcGIS Online organization. The value must match the configuration of
security.oauth.provider.arcgis.url
from the Identity Service.
Allow App Overview only for logged in users
To allow only people with a valid login to access the map.apps app overview, set the following configuration:
# this is used to specify the protected resource paths (which require authentication before use)
# add '/,/*.html' to protect the index.html
security.application.protectedResources=/,/*.html
Configure your apps
To control access to an app, select the authorized roles in the settings in map.apps manager.
If you want to display user profile information in an app, add the bundle authentication
to that app.
This will also provide an option to logout.
Optionally, you can register each map.apps app in ArcGIS Enterprise Online using the register app in ArcGIS function of the map.apps Manager.
This step adds the authentication
and portal-app-security
bundles to the app and adds necessary entries in the properties
section to the app configuration.
Set additional sharing settings in the created item in ArcGIS Online to specify who is allowed to access the app.
These sharing settings only have a supplementary effect to the app-specific access settings made in map.apps.
Role assignment
map.apps grants access to protected resources depending on the roles to which a user is assigned. For example, only users assigned to the maAdmin role can access the map.apps Manager. Additionally, you can make the availability of apps or tools dependent on specific roles.
The assignment of roles to users is done by the Identity Service. If you configure to use ArcGIS Online as an identity provider there, the Identity Service translates the role of current user’s ArcGIS Online account into internal roles. Additionally, the Identity Service translates ArcGIS Online groups of the current user into roles. Below, please find a the translation tables for ArcGIS Online roles and groups.
If required, you can customize the translation of ArcGIS Online roles and groups into internal roles by changing the configuration parameter security.oauth.provider.arcgis.roles
at the Identity Service.
ArcGIS Online roles
A user’s role in ArcGIS Online is translated to default internal role names by the Identity Service. These role names can be referenced by applications like map.apps to perform role-based access control.
ArcGIS Online role | Internal role | Description |
---|---|---|
|
|
ArcGIS Online administrators become map.apps administrators. |
|
|
ArcGIS Online publishers become map.apps editors. |
|
|
All other roles are adopted from ArcGIS Online without changes. |
If the ArcGIS Online account belongs to an organization, the domain name of the organization is registered as an internal role.
Example: myorganization.maps.arcgis.com
ArcGIS Online groups
The groups a person belongs to in ArcGIS Online are also translated into internal roles.
Since multiple people can create groups with the same title, a group is translated into an internal role of the form <title>::<owner>
.
ArcGIS Online group | Internal role |
---|---|
|
|
|
|