ArcGIS Enterprise portal

Using the con terra Technologies Identity Service, map.apps can delegate the authentication of users to ArcGIS Enterprise portal. This means that a user can log in to map.apps with a portal account. Groups and roles of the portal user are translated into roles for map.apps.

Connecting to ArcGIS Enterprise portal creates the following possibilities:

  • Assignment of roles for the use of map.apps Manager

  • Protection of apps

  • Protection of tools

  • Use of non-public content such as webmaps or layers without re-registration (single sign-on)

Connecting to ArcGIS Enterprise portal has the following limitations:

  • Apps exported with the app export for native apps do not support the authentication. Apps with anonymous access are still supported.

Create connection between map.apps and ArcGIS Enterprise Portal

Connecting map.apps with ArcGIS Enterprise portal is done in two steps.

Step 1: Install and configure Identity Service

In this step you will install and configure the Identity Service as a separate web application. Follow these steps of the Identity Service documentation:

  1. Install the Identity Service.

  2. Connect the Identity Service to ArcGIS Enterprise portal.

  3. Configure map.apps as trusted service at the Identity Service.

  4. Configure federated ArcGIS Servers as trusted services at the Identity Service.

Step 2: Configure map.apps

To enable authentication delegation, add or replace the following parameters in the global configuration:

Configuration example
security.mode=IDENTITY
security.login.base=https://www.example.com/identity
esri.api.arcgisPortalUrl=https://arcgis.example.com/portal
security.mode

The value IDENTITY specifies that authentication should be delegated via the Identity Service.

security.login.base

Base URL of the Identity Service.

esri.api.arcgisPortalUrl

URL to the ArcGIS Enterprise portal. The value must match the configuration of security.oauth.provider.arcgis.url from the Identity Service.

Allow App Overview only for logged in users

To allow only people with a valid login to access the map.apps app overview, set the following configuration:

# this is used to specify the protected resource paths (which require authentication before use)
# add '/,/*.html' to protect the index.html
security.application.protectedResources=/,/*.html

Configure your apps

To control access to an app, select the authorized roles in the settings in map.apps manager.

If you want to display user profile information in an app, add the bundle authentication to that app. This will also provide an option to logout.

Optionally, you can register each map.apps app in ArcGIS Enterprise portal using the register app in ArcGIS function of the map.apps Manager. This step adds the authentication and portal-app-security bundles to the app and adds necessary entries in the properties section to the app configuration. Set additional sharing settings in the created item in ArcGIS Enterprise portal to specify who is allowed to access the app. These sharing settings only have a supplementary effect to the app-specific access settings made in map.apps.

Role assignment

map.apps grants access to protected resources depending on the roles to which a user is assigned. For example, only users assigned to the maAdmin role can access the map.apps Manager. Additionally, you can make the availability of apps or tools dependent on specific roles.

The assignment of roles to users is done by the Identity Service. If you configure to use ArcGIS Enterprise portal as an identity provider there, the Identity Service translates the role of current user’s portal account into internal roles. Additionally, the Identity Service translates portal groups of the current user into roles. Below, please find a the translation tables for portal roles and groups.

If required, you can customize the translation of portal roles and groups into internal roles by changing the configuration parameter security.oauth.provider.arcgis.roles at the Identity Service.

Portal roles

A user’s role in ArcGIS Enterprise portal is translated to default internal role names by the Identity Service. These role names can be referenced by applications like map.apps to perform role-based access control.

Portal role Internal role Description

org_admin

maAdmin

Portal administrators become map.apps administrators.

org_publisher

maEditor

Portal publishers become map.apps editors.

roleX

roleX

All other roles are adopted from ArcGIS Enterprise portal without changes.

Portal groups

The groups a person belongs to in ArcGIS Enterprise portal are also translated into map.apps roles. Since multiple people can create portal groups with the same title, a group is translated into an internal role of the form <title>::<owner>.

Portal group Internal role

Forest (Owner: user1)

Forest::user1

Water (Owner: user2)

Water::user2