Use LDAP or Windows Active Directory for users and groups

You can secure access to your organization using Lightweight Directory Access Protocol (LDAP) or Microsoft Windows Active Directory. When you use LDAP, credentials are managed through your organization's LDAP server. When you use Windows Active Directory, credentials are managed through that directory.

Update the portal's identity store

Update the portal's identity store to use either LDAP or Windows Active Directory users and groups.

Configure the identity store using LDAP users and groups

Update the portal's identity store to use LDAP users and groups.

  1. Sign in to ArcGIS Enterprise Manager as an administrator.

    The URL is in the format: https://organization.example.com/<context>/manager.

  2. Click Security > Identity Store.

    The User store and Group store settings allow you to specify how users and groups will be managed for your organization.

  3. Click LDAP under User store.

    For LDAP users, you can use the built-in group store or an LDAP group store. The settings in the User store and group store configuration section change based on the type of group store selected.

  4. In the User store and group store configuration section, provide the appropriate information for each setting.

    • Type—LDAP or LDAPS
    • Hostname (Required)—The name of the host machine where the LDAP directory is running.
    • Port (Required)—The port number on the host machine where the LDAP directory is listening for incoming connections.
      Note:

      For secure connections, this is typically 636.

    • User Base DN (Required)—The distinguished name (DN) on the node directory server under which user information is maintained, for example, ou=users,dc=example,dc=com.
    • Group Base DN (Required)—The DN on the node directory server under which group information is maintained, for example, ou=groups,dc=example,dc=com.
    • Username (Required)—The DN of an LDAP user account that has access to the node containing user information. This account does not need administrative access.
    • Password (Required)—The password for the LDAP user account that is used to access the directory server.
    • LDAP URL for users—The LDAP URL for users that is used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed.
    • LDAP URL for groups—The LDAP URL for groups that is used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed.
    • Are usernames case sensitive—Yes or No.
    • User first name attribute (Required)—The directory server attribute for a user's first name.
    • User last name attribute (Required)—The directory server attribute for a user's last name.
    • User email attribute (Required)—The directory server attribute for a user's email address.
    • Username attribute (Required)—The directory server attribute for a user's user name.
    • Member attribute (Required)—The directory server attribute for the list of users that are members of a certain group.
    • Group name attribute (Required)—The directory server attribute for a group's name.

  5. Click Save when you are finished entering the information to configure the identity store.

Configure the identity store using Windows Active Directory users and groups

Update the portal's identity store to use Windows Active Directory users and groups.

  1. Sign in to ArcGIS Enterprise Manager as an administrator.

    The URL is in the format: https://organization.example.com/<context>/manager.

  2. Click Security > Identity Store.
  3. Click Windows under User store.

    For Windows users, you can use the built-in group store or a Windows group store. The settings in the User store and group store configuration section change based on the type of group store selected.

  4. In the User store and group store configuration section, provide the appropriate information for each setting.

    • Username (Required)—A Windows user account that is a member of the domain. This account does not need administrative access.
    • Password (Required)—The password for the Windows user account.
    • Are usernames case sensitive—Yes or No.
    • User first name attribute (Required)—The directory server attribute for a user's first name.
    • User last name attribute (Required)—The directory server attribute for a user's last name.
    • User email attribute (Required)—The directory server attribute for a user's email address.
    • Domain controller (Required)—The host name of the domain controller with which ArcGIS Enterprise communicates to retrieve and query domain users.
    • Domain controller mapping (Optional)—If ArcGIS Enterprise is in an environment with multiple domains in a single forest, the domain controllers from each domain must be specified here. The first value is the domain name, and the second value is the corresponding domain controller host name. To specify multiple domain controller host names for each domain, click Add machine name.

  5. Click Save when you are finished entering the information to configure the identity store.

Additional identity store parameters

Additional identity store configuration parameters can be modified in the ArcGIS Enterprise Administrator Directory. These parameters include whether groups are refreshed automatically when an enterprise user signs in to the portal, the membership refresh interval, and whether multiple user name formats are checked. See Update Configuration (Security) for details.

Sign-in page

When a user accesses the ArcGIS Enterprise sign-in page, they can sign in using either enterprise credentials or built-in credentials. Your organization's users must provide their account credentials each time they sign in to ArcGIS Enterprise; automatic and single sign-in are not available.

Verify sign in using credentials

  1. Open the ArcGIS Enterprise portal.

    The URL is in the format: https://organization.example.com/<context>/home.

  2. Sign in using your enterprise account credentials.

When using portal-tier authentication, members in your enterprise sign in using the following syntax:

  • If the portal uses Windows Active Directory, the syntax can be domain\username or username@domain. Regardless of how a member signs in, the user name always displays as username@domain in the portal website.
  • If the portal uses LDAP, the syntax can be defined by the administrator. The portal website also displays the account in this format.

Add enterprise accounts to the portal

To add enterprise accounts to your organization, use one of the following methods:

It's recommended that you designate at least one enterprise account as an administrator. To do this, choose the Administrator role when adding the account. When you have an alternate administrator account, you can assign the initial administrator account to the User role or delete the account.

Once the accounts have been added, users can sign in to ArcGIS Enterprise and access content.