Skip To Content

Use your portal with LDAP and web-tier authentication

You can secure access to your portal using Lightweight Directory Access Protocol (LDAP). When you use LDAP, logins are managed through your organization's LDAP server.

To use LDAP, you can set up portal-tier authentication or web-tier authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP. If you haven't done so already, install and configure ArcGIS Web Adaptor (Java Platform) with your portal.

Configure your portal with LDAP

By default, Portal for ArcGIS enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you must reconfigure the portal to use HTTPS-only communication by following the steps below.

Configure the portal to use HTTPS for all communication

  1. Sign in to the portal website as an Administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. Click Organization and click the Settings tab, and then click Security on the left side of the page.
  3. Enable Allow access to the portal through HTTPS only.

Update your portal's identity store

Next, update your portal's identity store to use LDAP users and groups.

  1. Sign in to the ArcGIS Portal Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
  2. Click Security > Config > Update Identity Store.
  3. In the User store configuration (in JSON format) text box, paste your organization's LDAP user configuration information (in JSON format). Alternatively, you can update the following sample with user information specific to your organization.

    {
      "type": "LDAP",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "uid=admin,ou=system",
        "userFullnameAttribute": "cn",
        "userGivenNameAttribute": "givenName",
        "userSurnameAttribute": "sn",
        "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com",
        "userEmailAttribute": "mail",
        "usernameAttribute": "uid",
        "caseSensitive": "false",
        "userSearchAttribute": "uid"
      }
    }

    In most cases, you'll only need to alter values for the user, userPassword, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.

    In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:

    "ldapURLForUsers": "ldaps://myLdapServer:10636/dc=example,dc=com",

    The account you use for the user parameter needs permissions to look up the email addresses and user names of users in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).

    If your LDAP is configured to be case-sensitive, set the caseSensitive parameter to true.

  4. To create groups in the portal that use the existing LDAP groups in your identity store, paste your organization's LDAP group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. Alternatively, you can update the following sample with group information specific to your organization. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.

    {
      "type": "LDAP",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "uid=admin,ou=system",
        "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com",
        "ldapURLForRoles": "ldaps://myLdapServer:10636/dc=example,dc=com",
        "usernameAttribute": "uid",
        "caseSensitive": "false",
        "userSearchAttribute": "uid",
        "memberAttributeInRoles": "member",
        "rolenameAttribute":"cn"
      }
    }

    In most cases, you'll only need to alter values for the user, userPassword, ldapURLForUsers, and ldapURLForUsers parameters. The URL to your LDAP will need to be provided by your LDAP administrator.

    In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher-level OU or even the root level if needed. In that case, the URL would instead look like this:

    "ldapURLForUsers": "ldaps://myLdapServer:10636/dc=example,dc=com",

    The account you use for the user parameter needs permissions to look up the names of groups in your organization. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below).

    If your LDAP is configured to be case-sensitive, set the caseSensitive parameter to true.

  5. Click Update Configuration to save your changes.
  6. If you've configured a highly available portal, restart each portal machine. See Stop and start the portal for full instructions.

Add organization-specific accounts to your portal

By default, organization-specific users can access the portal website. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added to the portal and granted access privileges.

Add accounts to your portal using one of the following methods:

It's recommended that you designate at least one organization-specific account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.

Configure ArcGIS Web Adaptor to use web-tier authentication

Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your portal following the appropriate installation guide, you need to configure your Java application server with two primary tasks:

  1. Integrate with your LDAP identity store. This will allow your Java application server to authenticate users managed in that LDAP store.
  2. Enable a browser-based authentication mechanism, such as form- or dialog-based authentication, for the portal's ArcGIS Web Adaptor context.

For instructions, consult your system administrator, the product documentation for your Java application server, or Esri Professional Services.

Verify you can access the portal using LDAP

  1. Open the portal website. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
  2. Verify that you are prompted for your LDAP account credentials. If you do not see this behavior, verify the LDAP account you used to sign in to the machine was added to the portal.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.