ArcGIS Enterprise portal

Using the con terra Technologies Identity Service, map.apps can delegate the authentication of users to ArcGIS Enterprise portal. This means that a user can log in to map.apps with a portal account. Groups and roles of the portal user are translated into roles for map.apps.

Connecting to ArcGIS Enterprise portal creates the following possibilities:

  • Assignment of roles for the use of map.apps Manager

  • Protection of apps

  • Protection of tools

  • Use of non-public content such as webmaps or layers without re-registration (single sign-on)

Connecting to ArcGIS Enterprise portal has the following limitations:

  • Apps exported with the app export for native apps do not support the authentication. Apps with anonymous access are still supported.

Create connection between map.apps and ArcGIS Enterprise Portal

Connecting map.apps with ArcGIS Enterprise portal is done in several steps.

Step 1: Install and configure Identity Service

In this step you will install and configure the Identity Service as a separate web application. Follow these steps of the Identity Service documentation:

  1. Install the Identity Service.

  2. Connect the Identity Service to ArcGIS Enterprise portal.

  3. If map.apps and Identity Service are not made available via the same hostname, adapt the configuration according to the documentation for operating different hostnames under one domain.

Step 2: Configure map.apps

To enable authentication delegation, add or replace the following parameters in the global configuration:

Configuration example
security.mode=IDENTITY
security.login.base=https://www.example.com/identity
esri.api.arcgisPortalUrl=https://arcgis.example.com/portal
# (optional) If the portal uses Integrated Windows Authentication (IWA)
#cors.request.trustedServers=https://arcgis.example.com
security.mode

The value IDENTITY specifies that authentication should be delegated via the Identity Service.

security.login.base

Base URL of the Identity Service.

esri.api.arcgisPortalUrl

URL to the ArcGIS Enterprise portal. The value must match the configuration for security.oauth.provider.arcgis.url in the Identity Service.

cors.request.trustedServers

(Optional) If the portal uses Integrated Windows Authentication (IWA), the URL of the portal must be added here.

Allow App Overview only for logged in users

To allow only people with a valid login to access the map.apps app overview, set the following configuration:

# this is used to specify the protected resource paths (which require authentication before use)
# add '/,/*.html' to protect the index.html
security.application.protectedResources=/,/*.html

Step 3: Customize role assignment

map.apps grants access to protected resources depending on roles to which a user is assigned. For example, only users assigned to the maAdmin role can access the map.apps Manager. Additionally, you can make the visibility of apps or tools dependent on specific roles.

The assignment of roles to users is performed by the Identity Service based on role and group assignments in ArcGIS Enterprise portal. By default, the Identity Service is configured so that all portal administrators receive the maAdmin role. These users can then also log in to the map.apps Manager and manage apps.

In the documentation on role assignment in the Identity Service, you can find more information about how the Identity Service translates roles and groups from ArcGIS Enterprise portal into roles for accessing map.apps and how you can adapt the assignment to your requirements.

Configure your apps

To control access to an app, select the authorized roles in the settings in map.apps manager.

If you want to display user profile information in an app, add the bundle authentication to that app. This will also provide an option to logout.

Optionally, you can register each map.apps app in ArcGIS Enterprise portal using the register app in ArcGIS function of the map.apps Manager. This step adds the authentication and portal-app-security bundles to the app and adds necessary entries in the properties section to the app configuration. Set additional sharing settings in the created item in ArcGIS Enterprise portal to specify who is allowed to access the app. These sharing settings only have a supplementary effect to the app-specific access settings made in map.apps.