WebOffice with ArcGIS Enterprise and SSO authentication
This How To chapter describes the use of WebOffice 10.9 R4 with ArcGIS Enterprise (Portal for ArcGIS) in a federated server scenario with a Single Sign On (SSO) authentication.
•For the use of WebOffice 10.9 R4 with ArcGIS Enterprise in federated server operation, ArcGIS version 10.6 is recommended. •This chapter is based on an already installed and configured federated server scenario with integrated Windows authentication. •When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment. |
•More information on this topic can be found in the ArcGIS online help in the chapter Integrate your server with ArcGIS Enterprise. •For more information about the authentication type Single Sign On in WebOffice usermanagement, see the chapter Authenticationtype SSO. |
In this case, the following initial scenario must be given for a correct configuration:
•WebOffice 10.9 R4 with ArcGIS Enterprise in federated server operation (i.e. a server site has been added to Portal for ArcGIS)
▪See Section 1
•The federated server is configured with the Active Directory (AD)-Identity Store (i.e. users and groups come from the Microsoft Windows Active Directory).
•More information about Microsoft Windows Active Directory can be found here. •Also see chapter How to readout Attributes from MS AD. |
•ArcGIS Web Adaptor for IIS (Portal): Portal with Integrated Windows Authentication is activated.
▪See Section 2
•Optionally: Automatic portal user creation is activated (i.e. when the portal page is called for the first time, the portal account is automatically read and created from the Active Directory Identity Store due to the integrated Windows Authentication)
▪See Section 3
When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment. |
•The corresponding security certificates from the portal server must be imported into the Java Truststore, ArcGIS Server Truststore (Server Admin Directory) and Portal Truststore (Portal Admin Directory) on the server where the WebOffice 10.9 R4 application is located.
For step-by-step instructions on adding certificates, see chapter Import of SSL/TLS-Certificates. |
•The map services are hosted on a federated server
•The map services (if they are secured services) are only accessible to registered portal users of the federated server (provided that the user is a member of a portal group that is authorized to use the map services).
•When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment.
Schema of using a WebOffice application with ArcGIS Enterprise and SSO authentication to Portal for ArcGIS and WebOffice
The following steps must be carried out in this scenario to ensure a functioning operation with Single Sign On authentication of WebOffice with ArcGIS Enterprise (Portal for ArcGIS):
1. ArcGIS Enterprise as a Federated Server
When you add a server site to your portal, the server connects to the portal. A server that has been added to your portal is called a federated server.
More information on setup and configuration can be found in the ArcGIS online help in the chapter Federate an ArcGIS Server site with your portal. |
In this example, a server site has been added to Portal for ArcGIS to a federated server.
General settings in Portal for ArcGIS - Federated server
2. Configuration of Integrated Windows Authentication in the Internet Information Services (IIS) Manager
Access to the portal can be secured using Integrated Windows Authentication (IWA). When using IWA, logon names are managed via Microsoft Windows Active Directory. Users do not have to log in and out of the portal website. Instead, users are logged on to the portal with the same account they use to log on to Windows.
To use the Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) provided for the Microsoft IIS web server.
For Portal Web Adaptor for IIS Integrated Windows Authentication is enabled on the federated server in the IIS Manager. This is necessary for Single Sign On authentication.
More details about the configuration can be found in the ArcGIS online help in the chapters Configure web-tier authentication with Integrated Windows Authentication and PKI |
In IIS Manager, Windows authentication must be enabled for the Portal Web Adaptor.
Portal Web Adaptor in IIS Manager: Windows authentication enabled
When using IWA, Apache Tomcat must run under a domain user. This user must be a member of the organization in the portal and has to be of role type administrator. The content that Tomcat/WebOffice accesses in the portal must be shared with this user. Here, only the map service that is used as the main map service in the WebOffice 10.9 R4 project is necessary. This service is required for initializing the WebOffice 10.9 R4 project. Possible exemplary realization so that the main map service does not have to be released to the entire organization: •Set up a new group WebOffice Application and assign the Tomcat user to this group. •The main map service must be released to this group. •When using the Authentication Type NTLM scenario, please note that the Tomcat user is also entered in the List of ArcGIS Server Publisher Users. •When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment. |
3. Activate user once on the Portal or creating new users on the Portal
For this step it is necessary to configure the portal for Windows Active Directory. These steps must be configured on the portal admin page of your portal; the URL has the format https://webadaptorhost.domain.com/portal/portaladmin/. Here you must add the Windows Active Directory user configuration information of your organization (in JSON format). |
More details can be found in the ArcGIS online manual in chapter Use Integrated Windows Authentication with your portal. |
Open your portal website. The URL has the format https://webadaptorhost.domain.com/webadaptorname/home.
After accessing the URL, check whether you are prompted to enter your ArcGIS Enterprise account credentials or whether you are automatically logged in. If you are not logged on automatically, verify that the Windows account that you used to log on to the computer has been added to the portal.
Integrated Windows Authentication (IWA) automatically creates a user account in the portal the first time the user calls the portal URL. The prerequisite is that you manage members via the enterprise identity store of your organization and the user is a member of your organization.
User is activated once and automatically on the portal website (example: SynerGIS Portal)
4. Further settings in the Portal for ArcGIS
The map services you want to consume must be hosted on the federated server.
More information on this topic can be found in the ArcGIS online manual in the section Register Services. |
The logged-in user must be a member of the group in the portal that is authorized to consume the corresponding map services.
More information on this topic can be found in the ArcGIS online manual in the section What is a group? The groups in the portal can also be linked to groups from Windows AD; for more details, see Link enterprise groups from an IDP. |
Group content that is visible to the logged on portal user
To check your permissions, open the URL of the rest interface in the browser. The URL has the format https://webadaptorhost.domain.com/webadaptorname/rest/services.
If your user account was successfully created in the portal using Integrated Windows Authentication, and if you are a member of a group that contains map services hosted on the federated server, you should be logged on automatically after the URL is called, and the services for which your user is authorized are listed:
Calling the services via the REST interface to check authorizations
Adding a new application
Next, a new application (Web Map Application) must be created in the portal for your WebOffice 10.9 R4 application.
This portal app will later control automatic user authentication in the background when calling the WebOffice 10.9 R4 project that consumes map services from the federated server. This allows a user to call a WebOffice 10.9 R4 project without having to specify a specific service user plus password for the map services from the federated server in the WebOffice 10.9 R4 project configuration.
If the user does not have a portal account or is not a member of any portal group, an error message will appear after the WebOffice 10.9 R4 project is called because the user has no permission for the map services from the federated server. |
More information on this topic can be found in the ArcGIS Online Manual in the Add apps section of the chapter Add items. |
To begin, check that you are logged in and have permissions to create content.
In My Content, click Add Item, and then click An Application.
Adding a new application in the portal
Add an application - configuration
The following table lists the parameters that you must select or assign for this necessary configuration, as shown in the previous graphic.
Parameter |
Description |
---|---|
Type |
Web Mapping (A Web App created using a web API such as JavaScript) |
Purpose |
configurable (Fully functional app that can be provided by configuring a file) |
API |
Choose Other" |
URL |
URL to your WebOffice Application |
Title |
Enter a title (e.g. the name of your WebOffice application) |
Tags |
Enter tags describing the element. Separate terms with commas |
Click Add Item.
After you have added your application, the page of the newly created application with the Overview and Settings areas opens automatically.
Registration of the application
The next step is to register the newly created application. To do this, switch to the Settings tab for the General Settings of the Web Mapping Application.
Click on the "Settings" tab
At the bottom of this page is the App Registration section. Click Register to register the application.
Scroll to the App Registration section and click "Register"
The App Type is Browser and the Redirect URI must be the URL of the WebOffice 10.9 R4 application.
Specify the address in the format https://<server>/<WebOffice-Application>.
Redirection URIs are valid addresses to which users of your app can be redirected after they have successfully logged in. |
Then click on Add and Register.
Registering the application with redirection URI to your Weboffice Application
Displaying App Registration Information
The App Registration section now lists parameters required to configure authentication in the WebOffice 10.9 R4 Application Configuration.
You can display the following details:
•App ID
•App Secret
•App Type
•Redirect URI's
To update the Redirect URI's, click Update. |
Click Show Secret: This key and the App ID are then copied and pasted into the WebOffice 10.9 R4 application configuration.
View app registration information
Your portal application with redirection to your WebOffice 10.9 R4 application is successfully created and registered. Continue for the next steps in WebOffice author.
5. Adjustments in the WebOffice Application Configuration
Open the Application Configuration in WebOffice author.
First it is necessary to add the user account of the portal user, who is tomcat domain user, with role type administrator to the List of ArcGIS for Server Publisher Users and to enter the server URL to the portal page.
More information on this topic can be found in the ArcGIS online help in the chapter About the initial administrator account. |
In a federated server scenario, the parameter federated server = true" must be enabled for the ArcGIS Server Server Publisher User in the application configuration. |
Configuration in the Application Configuration - Add portal administrator to the List of ArcGIS Server Users
A new subnode must be configured at the WebOffice node: List of ArcGIS-Enterprise OAuth Authorization bindings
OAuth 2.0 (Open Authorization) is an open protocol that allows standardized, secure API authorization for desktop, web and mobile applications. |
More information about OAuth 2.0 can be found on the Website. |
The parameters of this subnode must be filled with the information of the Web Mapping Application previously created in the portal.
The Web Adaptor URL of the token service endpoint and the authentication service endpoint is the Web Adaptor URL of the configured portal website used; e.g: https://webadaptorhost.domain.com/portal/sharing/oauth2/token and https://webadaptorhost.domain.com/portal/sharing/oauth2/authorize. |
Configuration in the Applicatoin configuration -Authentication type OAuth2
If the OAuth2 redirect URL does not match the base URLs of the token service endpoint and authentication service endpoint, a corresponding message is shown in the WebOffice log file. However, this configuration does not affect the WebOffice 10.9 R4 application. |
Note that you specify the token service URL for OAuth2 token service endpoint that is entered in the REST interface in the Info section (example URL: https://myserver.domain.com/arcgis/rest/info) of the ArcGIS Server.
Entering the correct token service URL as the OAuth2 token service endpoint
Then save the WebOffice 10.9 R4 Application Configuration and reload the WebOffice 10.9 R4 application.
More details see chapter List of ArcGIS-Enterprise OAuth Authorization bindings. |
6. Adjustments in the WebOffice Project Configuration
In the respective project configurations, the ArcGIS server map service connections in the Map Collection must be adapted accordingly to the https URL of the ArcGIS federated server.
In a ArcGIS federated server scenario it is not possible to use the WebOffice author standalone in a WebOffice 10.9 R4 project configuration to assign user credentials for an ArcGIS Server map service connection.
In a federated server scenario, the parameter federated server = true" must be enabled for the ArcGIS Server Server Publisher User in the application configuration. |
The base URL to the ArcGIS federated server, which was previously defined in the List of ArcGIS Server Publisher Users in the WebOffice application configuration, must be identical to the server URL in the ArcGIS Server Map Service of the Map Collection (case sensitive). |
The necessary configurations are now completed.
7. Usage
After configuration, testing takes place in the case of use when calling up a WebOffice project that consumes map services from a federated server.
If the WebOffice 10.9 R4 project is called in the browser, the following authorization message appears in the browser:
Authorization message when calling up the WebOffice project
This must be approved in order to access the map services from the federated server and thus open the WebOffice 10.9 R4 project.
8. Adding the app to the App Launcher
If you want to hide this request message for authorization, proceed as follows:
•In portal, the Web App must be added to the App Launcher
More information on this topic can be found in the ArcGIS online help in the chapter Manage Apps in the app launcher. |
•As a result, members from the portal are no longer prompted for approval in the dialog box when a WebOffice 10.9 R4 project is started.
In your portal, open Organization > Edit Settings > General.
Navigate to the app launcher section on the page and click Add App.
App to WebOffice application must be added to the app launcher
Select the app to your WebOffice application you just created from the Select App drop-down list on the Registered App tab. This list shows only apps currently registered in the portal.
Selection of your registered app
Enter a label for the app and click Next. The App Launcher shows an icon to display the respective app. Set the display to a maximum of four characters or upload a graphic to display the app.
In the apps added here, members are not prompted to enter in the Request Permissions dialog box.
The apps added are displayed to members with access to the app element in the app launcher on the portal page.
Apps in the app launcher of the portal page
With this configuration, the Portal App launcher automatically redirects to the registered WebOffice 10.9 R4 application when a project call is made.
•Click on the app in the app launcher to redirect to the WebOffice 10.9 R4 Landing Page, where the WebOffice 10.9 R4 project can be started
•If the URL for the WebOffice 10.9 R4 project is entered directly in the browser, the WebOffice 10.9 R4 project is entered directly.
•In both cases, the dialog box is suppressed and the approval for the user happens automatically in the background.
Click on the app in the app launcher - Redirection to the landing page
The WebOffice project could be called successfully for the user
Conclusion:
The WebOffice 10.9 R4 project consumes map services hosted on a federated server without a service user and password configured in the WebOffice 10.9 R4 project configuration for the corresponding map services.
Due to the integrated Windows authentication and the corresponding configurations in Portal for ArcGIS and WebOffice 10.9 R4 Application Configuration, a user (prerequisite is, that he is a member of the Windows Active Directory and Portal for ArcGIS and has corresponding group permissions) successfully access the WebOffice 10.9 R4 project without problems regarding license violation and without further login intermediate pages and consume the map services hosted by the portal group in the WebOffice 10.9 R4 project.