Presentation is loading. Please wait.

Presentation is loading. Please wait.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Published byEmmeline Maxwell Modified over 9 years ago

Similar presentations

Presentation on theme: "ArcGIS Server and Portal for ArcGIS An Introduction to Security"— Presentation transcript:

1 ArcGIS Server and Portal for ArcGIS An Introduction to Security
Jeff Smith & Derek Law July 21, 2015

2 Agenda How to configure
Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Agenda Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services Encryption and certificates ArcGIS Server + Portal for ArcGIS Enterprise groups and SAML in Portal for ArcGIS Summary How to configure A

3 ArcGIS Server/Portal for ArcGIS Security
Protect your assets Control access and set permissions ArcGIS Server/Portal for ArcGIS Security

4 ArcGIS 10.3.x for Server – Web GIS in your Infrastructure
Desktop Web Device Server Online Content and Services portal Portal for ArcGIS ArcGIS Server A

5 Who can login to ArcGIS Server?
Access

6 ArcGIS Server Access User → Valid login to access
Permissions User → Valid login to access Role → Grouping of users 3 types Administrators – Full admin control Publishers – Publish web services Users – View web services Identity store → Defines your users and roles User store + Role store A

7 ArcGIS Server: User considerations
Where are your users coming from? Determines which type of identity store you should use Intranet → Windows Active Directory or LDAP Internet → Built-in or custom External Organizations IT network Identity store Internal A

8 ArcGIS Server: Role considerations
How much control do I have on my ArcGIS Server site? Managed by me, within my Dept? or Managed by my organization’s IT Dept May affect where you define your roles Built-in identity store Enterprise identity store or LDAP A

9 ArcGIS Server: Identity Store
Identity Store → Defines your users and roles 3 different options Built-in (default) Register with an enterprise identity store Windows Active Directory LDAP “Mixed mode” Users from enterprise identity store Roles from built-in store Identity store A

10 Demo ArcGIS Server Manager Show Users and Roles

11 Check and verify user identity
Authentication

12 Authentication Tier/Method
Authentication → Check and verify user identity 2 options GIS Tier Uses tokens to authenticate Web Tier Uses HTTP authentication E.g., Basic, Digest, Integrated Windows, Client certificates, and Custom A

13 ArcGIS Web Adaptor Enables ArcGIS Server to work with 3rd party web server E.g., Microsoft IIS, IBM Web Sphere, etc. Leverage web server features Required for web-tier authentication Provides more flexibility to control site access Conceptually like a reverse proxy Separate software install Included with ArcGIS for Server Web Server Web Adaptor GIS Server GIS site

14 GIS Tier Authentication
Client GIS Server checks credentials Token → Unique identifier sent from GIS Server to client to identify an interaction session Web Server Web Adaptor 1. Credentials sent to GIS server 3. Esri token sent back to client GIS Server Identity store 2. Checked with ID store Configuration store Server directories A

15 Web Tier Authentication
Client Web server checks credentials Must use ArcGIS Web Adaptor HTTP authentication Web Server 1. Credentials checked with ID store Web Adaptor 2. Credentials sent to Web Adaptor 3. Credentials sent to GIS server GIS Server Identity store Configuration store Server directories A

16 GIS Tier vs. Web Tier Authentication
GIS Tier / Token Web Tier / HTTP Auth Default Yes No Public / anonymous possible Clients Supporting Esri All, including OGC Requirements Enable SSL ArcGIS Web Adaptor(s) required Basic – require SSL Digest – special setup IWA – Windows only

17 ArcGIS Server Manager Demo
Show how to select authentication method Show IIS configuration of ArcGIS Web Adaptor

18 What you are allowed to do
Authorization

19 Securing GIS Web Services
Set permissions for roles on folders and services Administrators/Publishers grant permissions All new services are public by default Anonymous access Can specify whether folders require HTTPS

20 ArcGIS Server Manager Demo Show securing a web service
Show accessing a secured web service

21 Securing communication protocols
Encryption and HTTPS

22 Should you be using HTTPS?
Hypertext Transfer Protocol Secure (HTTPS) HTTPS: a protocol for secure communication Yes! To enable, you need to update the security configuration within the ArcGIS Server Administrator Directory Select ‘HTTP And HTTPS’ or ‘HTTPS Only’ HTTPS requires security certificate, which contains Key information, owner identity, and digital signature of an entity that has verified the certificate’s contents are correct

23 Security Certificates
Enabling HTTPS in ArcGIS Server generates a self-signed certificate for every machine in the site Used to communicate with the ArcGIS Web Adaptor over port 6443 For production site, the ArcGIS Web Adaptor should use a certificate signed by a domain or well-known Certificate Authority (CA) Web clients use the certificate to trust content from ArcGIS Server Want to avoid: Certificate signed by domain or well-known CA A

24 How do you set up a Security Certificate?
Generate a Certificate Signing Request (CSR) Send CSR for signing By a domain or well-known Certificate Authority Import signed certificate A

25 Demo ArcGIS Server Create a security certificate and use in IIS

26 IIS Security Certificate Demo Summary
Generate CSR for a new certificate Send CSR to certificate authority Import signed certificate Update web site to reference signed certificate

27 Extension to ArcGIS for Server
Portal for ArcGIS

28 Using Portal with ArcGIS Server
Registering services Federating an ArcGIS Server site Portal Server

29 Implementation Patterns
Portal for ArcGIS + ArcGIS Server Portal for ArcGIS ArcGIS Server site 1 Item A Registered web service Identity Store Identity Store A

30 What can be Secured and Where?
Portal for ArcGIS Portal Items Web map Data Web app ArcGIS Server Web Services

31 What does it mean to be Secured?
Portal Item What access means Web Map Can know what the URLs for the layers in the map Layers are secured independently Packages Can download the package Data Can download the data Application Allows opening of app* (except referenced external app) ArcGIS Server What access means Any service Can perform any operation that is enabled

32 How is Security Set? Portal for ArcGIS ArcGIS Server
Permissions set by item owner Can be changed by administrators ArcGIS Server Permissions can be set by any publisher/administrator Portal Items Web map Web app Data Web Services

33 Portal for ArcGIS Security
Integrates with Your Enterprise Security Infrastructure Authentication Web tier authentication, including Windows Authentication & PKI Web single sign-on (SSO) with SAML (10.3) Portal tier authentication combining both built-in and enterprise users (10.3.1) Users, Roles, and Groups Users Built-in Enterprise Active Directory LDAP Roles Anonymous User Publisher Administrator Custom roles (10.3) Groups Enterprise groups (10.3)

34 How to Choose Identity Store for Portal for ArcGIS
SAML Windows Active Directory or LDAP Built-in If the org has an Identity provider If the users are mostly or all internal If the users are mostly external

35 Groups and Roles A collection of users is called …
Group in Portal for ArcGIS Role in ArcGIS Server In Portal, you define the Group If you use enterprise identity store, can leverage enterprise groups In Server, Role defined with built-in roles or from enterprise identity store

36 Portal for ArcGIS Roles
Permissions Permissions for Portal users defined by roles 3 default roles Administrator Publisher User Custom roles (as of 10.3) Provide more fine grained access control A

37 Portal for ArcGIS: Custom Roles
Provide more flexibility to enable fine grained control on what members can do My Organization page > Edit Settings > Roles > Create Role

38 Implementation Patterns
Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Registered web service ArcGIS Server site 1 Identity Store Identity Store A

39 Demo Portal for ArcGIS Show how a secured web service behaves in Portal

40 Implementation Patterns
Portal for ArcGIS + ArcGIS Server Portal for ArcGIS ArcGIS Server site 1 Item A Registered web service Federated Server ArcGIS Server site 2 Item B Identity Store Identity Store A

41 Portal – Server Federation
Allows a single sign-on (SSO) experience between Portal and Server Permissions are all managed in Portal ArcGIS Server site must be HTTPS enabled When to use: Desire for SSO user experience When NOT to use When Portal/Server are in different physical locations Portal and Server are different releases Portal for ArcGIS Identity store ArcGIS Server

42 Demo Portal for ArcGIS Show federating an ArcGIS Server site with Portal

43 Portal for ArcGIS and HTTPS
The ArcGIS Web Adaptor is the primary access point for Portal For production site, use a signed certificate from a domain or well-known Certificate Authority (CA) By default, Portal for ArcGIS encrypts communication between itself and the ArcGIS Web Adaptor on port 7443 via HTTPS Portal maintains a list of trusted CA Certs used when accessing external services over HTTPS Needs to be updated if Portal is accessing internal services via HTTPS Configuring the portal to trust certificates from your certifying authority

44 Other Security Options in Portal for ArcGIS
At 10.3, several enhancements were added Support for enterprise groups when Portal uses an enterprise identity store Windows Active Directory or LDAP Support for SAML authentication

45 10.3 Support for Enterprise Groups
Enabled when Portal is configured with Windows Active Directory or LDAP 10.3 Support for Enterprise Groups

46 Portal for ArcGIS Demo Show enabling IWA security in Portal
Show creating an Enterprise group

47 Enterprise Groups in Portal for ArcGIS
Windows Active Directory or LDAP Portal for ArcGIS Exploration Group Enterprise Group: Explore X X A

48 Industry standard for SSO
10.3 Single Web Sign On through SAML (Security Assertion Markup Language)

49 SAML – Conceptual Workflow
1. User attempts to login Portal for ArcGIS Identity Provider (IDP) 3rd party 3. User sends login credentials to IDP Client 2. Portal redirects client to IDP 4. IDP authenticates user and sends SAML response to browser 5. Browser sends SAML response to Portal 6. Portal verifies SAML response and user is logged in A

50 Demo Portal for ArcGIS Show enabling SAML authentication in Portal

51 SAML login User Experience
With SAML authentication enabled, user will be prompted by IDP to login Use IDP login or built-in login

52 5 Key Points Multiple ways to utilize your Enterprise Identity store
Select the authentication option that best meets your business requirements Enable HTTPS on your ArcGIS Server site Use a security certificate signed by your domain or a well-known CA Portal – Server Federation is optional A

53 Summary Security in the context of ArcGIS Server/Portal for ArcGIS
Access Authentication Authorization: securing web services Encryption and certificates ArcGIS Server + Portal for ArcGIS Enterprise groups and SAML in Portal for ArcGIS

54 Thank you… Please fill out the session survey in your mobile app
Select ArcGIS Server and Portal for ArcGIS: An Introduction to Security in the Mobile App Use the Search Feature to quickly find this title Click “Technical Workshop Survey” Answer a few short questions and enter any comments

55 Other Security Tech Workshops
ArcGIS Server: Advanced Security Wed 3:15 pm Room 3 Thurs 3:15 pm Room 4 Best Practices in Setting up Secured Services in ArcGIS for Server Tues 5:30 pm Demo Theater 14 – Tech Support Building Security into Your System Tues 4:30 pm Implementation Center Enterprise GIS: Security Strategy Tues 10:15 am Ballroom 6E Thurs 3:25 pm Ballroom 6E

56 © Copyright 2015. All Rights Reserved.

Download ppt "ArcGIS Server and Portal for ArcGIS An Introduction to Security"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Portal … from the trenches! Deployment Patterns

Portal … from the trenches! Deployment Patterns
Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.

Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Similar presentations

Ads by Google