The primary factor you should use to determine how you configure security in your ArcGIS Enterprise deployment is the source of users and, optionally, groups for your portal. This source of users and groups is called your identity store. Users and groups within or outside your organization are managed through the identity store.
- Understanding identity stores
- Configuring built-in users using the portal's identity store
- Configuring organization-specific logins using SAML
Understand identity stores
The identity store for your portal defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise portal supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
When you create built-in accounts and groups in the portal, you are leveraging the built-in identity store, which performs authentication and stores portal account user names, passwords, roles, and group membership. You must use the built-in identity store to create the initial administrator account for your portal, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically leverage an organization-specific identity store.
Organization-specific identity store
The ArcGIS Enterprise portal is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the portal. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the portal. Authentication can be handled at the portal tier, using portal tier authentication, or through an external identity provider, using SAML.
Similarly, you can also create groups in the portal that link to existing enterprise groups in your identity store. This allows the management of group membership to be completely external to the portal. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the enterprise group. Also, organization-specific accounts can be added in bulk from the enterprise groups in your organization.
For example, a recommended practice is to disable anonymous access to your portal, connect your portal to the desired enterprise groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the portal based on specific enterprise groups in your organization.
Support multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users that may reside within or outside your organization. For full details, see Configure a SAML-compliant identity provider with your portal.
Configure built-in users and groups using the portal's identity store
No steps are necessary to configure the portal when using built-in users and groups; the portal is ready for built-in users and groups immediately after installing the software. If you are using organization-specific users, see the following sections and related links for more information.
Configure organization-specific logins
The following organization-specific identity providers can be configured with the portal.
Portal-tier authentication
If you want to allow access to your portal using both organization-specific and built-in identity stores without using SAML, you can use portal-tier authentication. This is achieved by configuring the portal with your Active Directory or LDAP identity store. When a user accesses the portal sign-in page, they will be able to sign in using either organization-specific credentials or built-in credentials. Organization-specific users will be required to enter their account credentials each time they sign in to the portal; automatic or single-sign on is not available.
When using portal-tier authentication, members will sign in using the following syntax:
- If using the portal with your Active Directory, the syntax can be domain\username or username@domain. Regardless of how the member signs in, the user name always displays as username@domain in the portal website.
- If using the portal with LDAP, the syntax can be defined by the administrator. The portal website also displays the account in this format.
Configure organization-specific logins using SAML
The ArcGIS Enterprise portal supports all SAML-compliant identity providers. The following tutorials demonstrate how to configure certain common SAML-compliant identity providers with the portal. For more information, see Configure a SAML-compliant identity provider with your portal.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced portal lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you're using an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.
Monitor failed login attempts
You can monitor failed login attempts by viewing the organization's logs in ArcGIS Enterprise Manager. Any failed attempts result in a warning-level message stating that the user failed to sign in because of an invalid user name or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked out. Monitoring the logs for failed login attempts can help you understand if there is a potential password attack on your system.
For more information, see Work with system logs.