The primary factor you should use to determine how you configure security in your ArcGIS Enterprise organization is the source of users and, optionally, groups. This source of users and groups is called your identity store. Users and groups within or outside your organization are managed through the identity store.
- Understand identity stores
- Configure built-in users using the portal's identity store
- Configure organization-specific logins using web-tier authentication
- Configure organization-specific logins using SAML
Understand identity stores
The identity store for your organization defines where the credentials of your portal accounts are stored, how authentication occurs, and how group membership is managed. The ArcGIS Enterprise organization supports two types of identity stores: built-in and organization-specific identity stores.
Built-in identity store
When you create built-in accounts and groups in the organization, you are using the built-in identity store, which performs authentication and stores account usernames, passwords, roles, and group membership. You must use the built-in identity store to create the initial administrator account for your organization, but you can later switch to an organization-specific identity store. The built-in identity store is useful to get your portal up and running, and also for development and testing. However, production environments typically use an organization-specific identity store.
Organization-specific identity store
ArcGIS Enterprise is designed so you can use organization-specific accounts and groups to control access to your ArcGIS organization. This process is described throughout the documentation as setting up organization-specific logins.
The advantage of this approach is that you do not need to create additional accounts in the portal. Members use the login that is already set up in the organization-specific identity store. The management of account credentials, including policies for password complexity and expiration, is completely external to the portal. Authentication can be handled at the portal tier, using portal tier authentication, or through an external identity provider, using SAML.
Similarly, you can also create groups in the portal that link to existing Windows Active Directory, LDAP, or SAML groups in your identity store. This allows the management of group membership to be completely external to the portal. When members sign in to the portal, access to content, items, and data is controlled by the membership rules defined in the Active Directory, LDAP, or SAML group. Also, organization-specific accounts can be added in bulk from the Active Directory, LDAP, or SAML groups in your organization.
For example, a recommended practice is to disable anonymous access to your organization, connect your portal to the desired Active Directory, LDAP, or SAML groups in your organization, and add the organization-specific accounts based on those groups. In this way, you restrict access to the portal based on specific Active Directory, LDAP, or SAML groups in your organization.
Support multiple identity stores
Using SAML 2.0, you can allow access to your portal using multiple identity stores. Users can sign in with built-in accounts and accounts managed in multiple SAML-compliant identity providers configured to trust one another. This is a good way to manage users who may reside within or outside your organization. For details, see Configure a SAML-compliant identity provider with a portal.
Configure built-in users and groups using the portal's identity store
No steps are necessary to configure the portal when using built-in users and groups; the portal is ready for built-in users and groups immediately after installing the software. If you are using organization-specific users, see the following sections and related links for more information.
Configure organization-specific logins
The following organization-specific identity providers can be configured with the portal. Authentication can be handled at the web tier (using ArcGIS Enterprise on Kubernetes Web Adaptor) or at the portal tier.
Web-tier authentication
If your organization has an external identity store configured, you can configure web-tier authentication for the ArcGIS Enterprise on Kubernetes deployment. See Web-tier authentication for information.
Portal-tier authentication
To allow access to the portal using both organization-specific and built-in identity stores without using SAML, you can use portal-tier authentication. This is achieved by configuring the portal with your Active Directory or LDAP identity store. When a user accesses the portal sign-in page, they will be able to sign in using either organization-specific credentials or built-in credentials. Organization-specific users will be required to enter their account credentials each time they sign in to the portal; automatic or single-sign on is not available.
When using portal-tier authentication, members sign in using the following syntax:
- If using the portal with your Active Directory, the syntax can be domain\username or username@domain. Regardless of how the member signs in, the username always displays as username@domain in the portal website.
- If using the portal with LDAP, the syntax can be defined by the administrator. The portal website also displays the account in this format.
Configure organization-specific logins using SAML
The ArcGIS Enterprise portal supports all SAML-compliant identity providers. For more information, see Configure a SAML-compliant identity provider with a portal.
Account lockout policy
Software systems often enforce an account lockout policy to protect against mass automated attempts to guess a user's password. If a user makes a certain number of failed login attempts within a particular time interval, they may be denied further attempts for a designated time period. These policies are balanced against the reality that sometimes users will forget their names and passwords and fail to sign in successfully.
The enforced portal lockout policy depends on which type of identity store you're using:
Built-in identity store
The built-in identity store locks out a user after five consecutive invalid attempts. The lockout lasts for 15 minutes. This policy applies to all accounts in the identity store, including the initial administrator account. This policy cannot be modified or replaced.
Organization-specific identity store
When you use an organization-specific identity store, the account lockout policy is inherited from the store. You may be able to modify the account lockout policy for the store. Consult the documentation specific to the store type to learn how to change the account lockout policy.
Monitor failed login attempts
You can monitor failed login attempts by viewing the organization's logs in ArcGIS Enterprise Manager. Any failed attempts result in a warning-level message stating that the user failed to sign in because of an invalid username or password combination. If the user exceeds the maximum number of login attempts, a severe-level message is logged stating that the account has been locked out. Monitoring the logs for failed login attempts can help you determine whether there is a potential password attack on your system.
For more information, see Work with system logs.