Use LDAP and web-tier authentication

You can secure access to your organization using Lightweight Directory Access Protocol (LDAP). When you use LDAP, logins are managed through your organization's LDAP server.

To use LDAP, you can set up portal-tier authentication or web-tier authentication using ArcGIS Web Adaptor (Java Platform) deployed to a Java application server. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP.

Configure your organization with LDAP

By default, ArcGIS Enterprise enforces HTTPS for all communication. If you have previously changed this option to allow both HTTP and HTTPS communication, you must reconfigure the portal to use HTTPS-only communication by following the steps below.

Configure the organization to use HTTPS for all communication

Complete the following steps to configure the organization to use HTTPS:

  1. Sign in to the organization website as an administrator.

    The URL is in the format https://organization.example.com/<context>/home.

  2. Click Organization and click the Settings tab, and then click Security on the left side of the page.
  3. Enable Allow access to the portal through HTTPS only.

Configure your identity store using LDAP users and groups

Next, update your organization's identity store to use LDAP users and groups.

  1. Sign in to the ArcGIS Enterprise Manager as an administrator of your organization. The URL is in the format https://organization.example.com/<context>/manager.
  2. Click Security > Identity Store.
  3. The options under User store and Group store allow you to select how the users and groups will be managed for your organization.
  4. Select LDAP under the User store. With LDAP users, you can use the built-in group store or an LDAP group store. The input boxes in the User store and group store configuration section will change depending on the type of group store selected.
  5. In the User store and group store configuration, enter the appropriate information in each field. The descriptions of each text box are as follows:

    • Type—LDAP or LDAPS.
    • Hostname (Required)—The name of the host machine on which the LDAP directory is running.
    • Port (Required)—The port number on the host machine where the LDAP directory is listening for incoming connections.
      Note:

      For secure connections, this is typically 636.

    • User Base DN (Required)—The distinguished name (DN) on the node directory server that user information is maintained under, for example: ou=users,dc=example,dc=com.
    • Group base DN (Required)—The distinguished name (DN) on the node directory server that group information is maintained under, for example: ou=groups,dc=example,dc=com.
    • Username (Required)—The distinguished name (DN) of an LDAP user account that has access to the node containing user information. This account does not need administrative access.
    • Password (Required)—The password for the LDAP user account used to access the directory server.
    • LDAP URL for users—The LDAP URL for users who will be used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed if needed.
    • LDAP URL for groups—The LDAP URL for groups that will be used to connect to the LDAP directory.
      Note:
      This is automatically generated but can be changed if needed.
    • Are usernames case sensitive?—Yes or No.
    • User first name attribute (Required)—The directory server attribute for a user's first name.
    • User last name attribute (Required)—The directory server attribute for a user's last name.
    • User email attribute (Required)—The directory server attribute for a user's email address.
    • Username attribute (Required)—The directory server attribute for a user's username.
    • User search attribute—This is an optional field and is only required when configuring Enterprise to use web-tier authentication on a Java web adaptor. In some scenarios, the Java web adaptor may return the authenticated username in a format that is different from the expected username specified above. An example of this would be when a Java web adaptor is configured to use client certificate authentication and the user's full distinguished name is returned from the web server, rather than just the username. In this example, the user search attribute would need to be set to distinguishedName.
    • Member attribute (Required)—The directory server attribute for the list of users who are members of a certain group.
    • Group name attribute (Required)—The directory server attribute for a group's name.

  6. Click Save when you are finished entering the information for configuring your identity store.

Add organization-specific accounts

By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.

Add accounts to your organization using one of the following methods:

It's recommended that you designate at least one organization-specific account as an administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users can sign in to the organization and access content.

Configure ArcGIS Web Adaptor to use web-tier authentication

Once you've installed and configured ArcGIS Web Adaptor (Java Platform) with your organization following the appropriate installation guide, you must configure your Java application server with two primary tasks:

  1. Integrate with your LDAP identity store. This will allow your Java application server to authenticate users managed in that LDAP store.
  2. Enable a browser-based authentication mechanism, such as form- or dialog-based authentication, for the organization's ArcGIS Web Adaptor context.

For instructions, consult your system administrator, the product documentation for your Java application server, or Esri Professional Services.

Verify you can access the portal using LDAP

  1. Open the portal.

    The URL is in the format https://organization.example.com/<context>/home.

  2. Verify that you are prompted for your LDAP account credentials. If you do not see this behavior, verify the LDAP account you used to sign in to the machine was added to the portal.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create built-in accounts in the organization settings.