The federation process links an ArcGIS Server site with ArcGIS Enterprise to extend the capabilities of your organization and to automatically share the server site's content with ArcGIS Enterprise.
In ArcGIS Enterprise on Kubernetes, the federation process is optional. It allows you to connect additional server sites that are running on Windows and Linux machines and work with their services in your organization. At this release, you can federate the following types of Windows- and Linux-based servers with ArcGIS Enterprise on Kubernetes:
- ArcGIS GIS Server
- ArcGIS Image Server
- ArcGIS Workflow Manager Server
Dive-in:
ArcGIS Enterprise on Kubernetes has its own services architecture based on Kubernetes pods and includes a hosting server. Once you've deployed ArcGIS Enterprise on Kubernetes, you can immediately begin publishing services, creating hosted layers, and running analysis workflows in Map Viewer.
Services that exist on the ArcGIS Server site at the time of federation are automatically added as items to your organization, as are all services that are published to the server site in the future. These items are owned by the administrator who performs the federation. After federation, the administrator can reassign ownership of these items to existing members. Any subsequent items you publish to the federated server are automatically added as items and are owned by the user who publishes them.
When you federate a server, the portal's security store controls all access to the server. This provides a convenient sign-in experience but also impacts how you access and administer the federated server. For example, when you federate a server, all users, roles, and permissions that you previously configured on ArcGIS Server services are no longer valid. Access to services is instead determined by organization members, roles, and sharing permissions.
The server site you federate should use a CA-signed certificate rather than a self-signed certificate.
Note:
Retired software versions are not guaranteed to be compatible with new versions. When federating supported server sites from earlier versions, the version must be supported pursuant to the product life cycle policy to receive technical support.
Add a server site
To federate a server, complete the following steps:
- Ensure that the TLS certificate in the administration URL is trusted by your organization or contains the URL host name.
When federating an ArcGIS Server site, the TLS certificate used in the administration URL must either be fully trusted by your organization or contain the URL host name as either the common name (CN) or subject alternative name (SAN). If either of these conditions is not met, the federation process will fail.
An example scenario is an administration URL that uses a wildcard certificate signed by a certificate authority that is not well known, such as a domain CA. Since the URL host name is typically not included as a SAN in a wildcard certificate, your organization must trust the CA that signed the certificate. As a result, the root certificate, and intermediate certificate if it exists, must be imported into your organization before federating.
- Sign in to your ArcGIS Enterprise organization as a default administrator or custom role with administrative privileges to manage server settings.
- Click Organization at the top of the site, and click the Settings tab.
- Click Servers on the side of the page.
- Click Add server site.
- On the Add server site page that appears, provide the following information:
- Services URL—The URL used by external users when accessing the server site composed of a scheme, host, and single-level context. If you've added ArcGIS Server to your organization's reverse proxy server, the URL is the reverse proxy server address (for example, http://reverseproxy.example.com/myorg). If your organization requires HTTPS for all communication, use https instead of http. The federation operation will perform a validation check to determine whether the provided Services URL value is accessible from the server site. If the resulting validation check fails, a warning is generated in the logs. However, federation will not fail if the Services URL value is not validated, as the URL may not be accessible from the server site, as is the case when the server site is behind a firewall.
- Administration URL—The URL used for accessing the server site when performing administrative operations on the internal network. The Administration URL value will be represented in the https://server.example.com:6443/arcgis format for GIS, Image, or Workflow Manager Server.
Note:
If you federate with a multimachine site or highly available ArcGIS Server, or if your ArcGIS Server site is hosted in a cloud environment, use the load balancer URL in this field instead. The Administration URL value must be a URL that the organization can use to communicate with all servers in the site, even when one of them is unavailable.
- Username—The username of the primary site administrator account that was used to initially sign in to and administer the server site. If this account is disabled, you must re-enable it.
- Password—The password of the primary site administrator account.
- Click Next to federate the server site.
Note:
Federating the server site may take some time to complete.
- Optionally, on the Configure server role page, use the Workflow Manager Server toggle button to configure the federated server site with the Workflow Manager server role.
To configure the server site as a Workflow Manager Server site, it must meet the requirements for the server role. If requirements are not met, click Requirements missing for more information. If you do not want to configure the server role, click Done. You can configure the server role at a later time using the Configure server role option on a federated server site.
- Click Save server role.
The server site is federated with your organization. The server site is listed in the Federated server sites section of the Servers page.
Fine-grained access control of federated servers
You can update a federated server to restrict publishing and administrative access. Once updated, all organization administrators will still have administrative privileges on the server. Organization members with publisher privileges will not be granted publishing access to the server by default. Instead, publisher access to the server is controlled by the [federated server name]_Publishers group or the [federated server name]_Publishers item.
Note:
The default group and item names cannot be changed.
To gain publisher privileges to the server, the organization member must be either a member of the [federated server name]_Publishers group or a member of a group that the [federated server name]_Publishers item has been shared with. Additional administrative access to the server is controlled by the [federated server name]_Administrators group or the [federated server name]_Administrators item. An organization member must be either a member of this group or a member of the group that the item has been shared with to gain administrative access to the server.
Fine-grained access control is configured in the ArcGIS Enterprise Administrator API. Once you have federated a server with your organization, complete the steps below to update the server to enable this control.
- Sign in to the ArcGIS Enterprise Administrator API as an organization member with administrative privileges.
The URL is in the format https://organization.example.com/context/admin.
- Click Organizations > Organization ID.
- Click Federation > Servers and click the server you want to update.
- Click Update.
- From the Server role drop-down menu, choose Federated Server With Restricted Publishing.
- Click Update Server.
The [federated server name]_Administrators and [federated server name]_Publishers groups, as well as the corresponding items, are included on the My Content page. They are owned by the organization member who updated the server.