WebOffice with ArcGIS Enterprise and SSO authentication

This How To chapter describes the use of WebOffice 10.9 R4 with ArcGIS Enterprise (Portal for ArcGIS) in a federated server scenario with a Single Sign On (SSO) authentication.

 

icon_comment

For the use of WebOffice 10.9 R4 with ArcGIS Enterprise in federated server operation, ArcGIS version 10.6 is recommended.

This chapter is based on an already installed and configured federated server scenario with integrated Windows authentication.

When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment.

 

icon_cross-reference

More information on this topic can be found in the ArcGIS online help in the chapter Integrate your server with ArcGIS Enterprise.

For more information about the authentication type Single Sign On in WebOffice usermanagement, see the chapter Authenticationtype SSO.

 

In this case, the following initial scenario must be given for a correct configuration:

WebOffice 10.9 R4 with ArcGIS Enterprise in federated server operation (i.e. a server site has been added to Portal for ArcGIS)

See Section 1

The federated server is configured with the Active Directory (AD)-Identity Store (i.e. users and groups come from the Microsoft Windows Active Directory).

icon_cross-reference

More information about Microsoft Windows Active Directory can be found here.

Also see chapter How to readout Attributes from MS AD.

ArcGIS Web Adaptor for IIS (Portal): Portal with Integrated Windows Authentication is activated.

See Section 2

Optionally: Automatic portal user creation is activated (i.e. when the portal page is called for the first time, the portal account is automatically read and created from the Active Directory Identity Store due to the integrated Windows Authentication)

See Section 3

icon_comment

When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment.

The corresponding security certificates from the portal server must be imported into the Java Truststore, ArcGIS Server Truststore (Server Admin Directory) and Portal Truststore (Portal Admin Directory) on the server where the WebOffice 10.9 R4 application is located.

icon_cross-reference

For step-by-step instructions on adding certificates, see chapter Import of SSL/TLS-Certificates.

The map services are hosted on a federated server

The map services (if they are secured services) are only accessible to registered portal users of the federated server (provided that the user is a member of a portal group that is authorized to use the map services).

When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment.

 

Schema of using a WebOffice application with ArcGIS Enterprise and SSO authentication to Portal for ArcGIS and WebOffice

Schema of using a WebOffice application with ArcGIS Enterprise and SSO authentication to Portal for ArcGIS and WebOffice

 

The following steps must be carried out in this scenario to ensure a functioning operation with Single Sign On authentication of WebOffice with ArcGIS Enterprise (Portal for ArcGIS):

 

1. ArcGIS Enterprise as a Federated Server

When you add a server site to your portal, the server connects to the portal. A server that has been added to your portal is called a federated server.

 

icon_cross-reference

More information on setup and configuration can be found in the ArcGIS online help in the chapter Federate an ArcGIS Server site with your portal.

 

In this example, a server site has been added to Portal for ArcGIS to a federated server.

General settings in Portal for ArcGIS - Federated server

General settings in Portal for ArcGIS - Federated server

 

2. Configuration of Integrated Windows Authentication in the Internet Information Services (IIS) Manager

Access to the portal can be secured using Integrated Windows Authentication (IWA). When using IWA, logon names are managed via Microsoft Windows Active Directory. Users do not have to log in and out of the portal website. Instead, users are logged on to the portal with the same account they use to log on to Windows.

To use the Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) provided for the Microsoft IIS web server.

For Portal Web Adaptor for IIS Integrated Windows Authentication is enabled on the federated server in the IIS Manager. This is necessary for Single Sign On authentication.

 

icon_cross-reference

More details about the configuration can be found in the ArcGIS online help in the chapters

Configure web-tier authentication with Integrated Windows Authentication and PKI

Use Integrated Windows Authentication with your portal

 

In IIS Manager, Windows authentication must be enabled for the Portal Web Adaptor.

 

Portal Web Adaptor in IIS Manager: Windows authentication enabled

Portal Web Adaptor in IIS Manager: Windows authentication enabled

 

icon_comment

When using IWA, Apache Tomcat must run under a domain user.

This user must be a member of the organization in the portal and has to be of role type administrator.

The content that Tomcat/WebOffice accesses in the portal must be shared with this user. Here, only the map service that is used as the main map service in the WebOffice 10.9 R4 project is necessary. This service is required for initializing the WebOffice 10.9 R4 project.

Possible exemplary realization so that the main map service does not have to be released to the entire organization:

Set up a new group WebOffice Application and assign the Tomcat user to this group.

The main map service must be released to this group.

When using the Authentication Type NTLM scenario, please note that the Tomcat user is also entered in the List of ArcGIS Server Publisher Users.

When using Integrated Windows Authentication (IWA) at the same time, only one WebOffice application may be set up within a Tomcat environment.

 

3. Activate user once on the Portal or creating new users on the Portal

icon_comment

For this step it is necessary to configure the portal for Windows Active Directory. These steps must be configured on the portal admin page of your portal; the URL has the format https://webadaptorhost.domain.com/portal/portaladmin/. Here you must add the Windows Active Directory user configuration information of your organization (in JSON format).

icon_cross-reference

More details can be found in the ArcGIS online manual in chapter Use Integrated Windows Authentication with your portal.

 

Open your portal website. The URL has the format https://webadaptorhost.domain.com/webadaptorname/home.

After accessing the URL, check whether you are prompted to enter your ArcGIS Enterprise account credentials or whether you are automatically logged in. If you are not logged on automatically, verify that the Windows account that you used to log on to the computer has been added to the portal.

Integrated Windows Authentication (IWA) automatically creates a user account in the portal the first time the user calls the portal URL. The prerequisite is that you manage members via the enterprise identity store of your organization and the user is a member of your organization.

 

User is activated once and automatically on the portal website (example: SynerGIS Portal)

User is activated once and automatically on the portal website (example: SynerGIS Portal)

 

4. Further settings in the Portal for ArcGIS

The map services you want to consume must be hosted on the federated server.

icon_cross-reference

More information on this topic can be found in the ArcGIS online manual in the section Register Services.

The logged-in user must be a member of the group in the portal that is authorized to consume the corresponding map services.

icon_cross-reference

More information on this topic can be found in the ArcGIS online manual in the section What is a group? The groups in the portal can also be linked to groups from Windows AD; for more details, see Link enterprise groups from an IDP.

 

Group content that is visible to the logged on portal user

Group content that is visible to the logged on portal user

 

To check your permissions, open the URL of the rest interface in the browser. The URL has the format https://webadaptorhost.domain.com/webadaptorname/rest/services.

If your user account was successfully created in the portal using Integrated Windows Authentication, and if you are a member of a group that contains map services hosted on the federated server, you should be logged on automatically after the URL is called, and the services for which your user is authorized are listed:

 

Calling the services via the REST interface to check authorizations

Calling the services via the REST interface to check authorizations

 

Adding a new application

Next, a new application (Web Map Application) must be created in the portal for your WebOffice 10.9 R4 application.

This portal app will later control automatic user authentication in the background when calling the WebOffice 10.9 R4 project that consumes map services from the federated server. This allows a user to call a WebOffice 10.9 R4 project without having to specify a specific service user plus password for the map services from the federated server in the WebOffice 10.9 R4 project configuration.

 

icon_comment

If the user does not have a portal account or is not a member of any portal group, an error message will appear after the WebOffice 10.9 R4 project is called because the user has no permission for the map services from the federated server.

icon_cross-reference

More information on this topic can be found in the ArcGIS Online Manual in the Add apps section of the chapter Add items.

 

To begin, check that you are logged in and have permissions to create content.

In My Content, click Add Item, and then click An Application.

 

Adding a new application in the portal

Adding a new application in the portal

 

Add an application - configuration 

Add an application - configuration

 

The following table lists the parameters that you must select or assign for this necessary configuration, as shown in the previous graphic.

 

Parameter

Description

Type

Web Mapping (A Web App created using a web API such as JavaScript)

Purpose

configurable (Fully functional app that can be provided by configuring a file)

API

Choose Other"

URL

URL to your WebOffice Application

Title

Enter a title (e.g. the name of your WebOffice application)

Tags

Enter tags describing the element. Separate terms with commas

 

Click Add Item.

After you have added your application, the page of the newly created application with the Overview and Settings areas opens automatically.

 

Registration of the application

The next step is to register the newly created application. To do this, switch to the Settings tab for the General Settings of the Web Mapping Application.

Click on the "Settings" tab

Click on the "Settings" tab

 

At the bottom of this page is the App Registration section. Click Register to register the application.

Scroll to the App Registration section and click "Register"

Scroll to the App Registration section and click "Register"

 

The App Type is Browser and the Redirect URI must be the URL of the WebOffice 10.9 R4 application.

Specify the address in the format https://<server>/<WebOffice-Application>.

icon_comment

Redirection URIs are valid addresses to which users of your app can be redirected after they have successfully logged in.

Then click on Add and Register.

 

 Registering the application with redirection URI to your Weboffice Application 


Registering the application with redirection URI to your Weboffice Application 

 

Displaying App Registration Information

The App Registration section now lists parameters required to configure authentication in the WebOffice 10.9 R4 Application Configuration.

You can display the following details:

App ID

App Secret

App Type

Redirect URI's

 

icon_comment

To update the Redirect URI's, click Update.

 

Click Show Secret: This key and the App ID are then copied and pasted into the WebOffice 10.9 R4 application configuration.

 

 View app registration information

 View app registration information

 

Your portal application with redirection to your WebOffice 10.9 R4 application is successfully created and registered. Continue for the next steps in WebOffice author.

 

5. Adjustments in the WebOffice Application Configuration

Open the Application Configuration in WebOffice author.

First it is necessary to add the user account of the portal user, who is tomcat domain user, with role type administrator to the List of ArcGIS for Server Publisher Users and to enter the server URL to the portal page.

icon_cross-reference

More information on this topic can be found in the ArcGIS online help in the chapter About the initial administrator account.

icon_comment

In a federated server scenario, the parameter federated server = true" must be enabled for the ArcGIS Server Server Publisher User in the application configuration.

 

Configuration in the Application Configuration - Add portal administrator to the List of ArcGIS Server Users 

Configuration in the Application Configuration - Add portal administrator to the List of ArcGIS Server Users

 

A new subnode must be configured at the WebOffice node: List of ArcGIS-Enterprise OAuth Authorization bindings

 

icon_comment

OAuth 2.0 (Open Authorization) is an open protocol that allows standardized, secure API authorization for desktop, web and mobile applications.

 

icon_cross-reference

More information about OAuth 2.0 can be found on the Website.

 

The parameters of this subnode must be filled with the information of the Web Mapping Application previously created in the portal.

 

icon_comment

The Web Adaptor URL of the token service endpoint and the authentication service endpoint is the Web Adaptor URL of the configured portal website used; e.g:

 

Configuration in the Applicatoin configuration  -Authentication type OAuth2

Configuration in the Applicatoin configuration  -Authentication type OAuth2

 

icon_comment

If the OAuth2 redirect URL does not match the base URLs of the token service endpoint and authentication service endpoint, a corresponding message is shown in the WebOffice log file. However, this configuration does not affect the WebOffice 10.9 R4 application.

 

Note that you specify the token service URL for OAuth2 token service endpoint that is entered in the REST interface in the Info section (example URL: https://myserver.domain.com/arcgis/rest/info) of the ArcGIS Server.

 

Entering the correct token service URL as the OAuth2 token service endpoint

Entering the correct token service URL as the OAuth2 token service endpoint

 

Then save the WebOffice 10.9 R4 Application Configuration and reload the WebOffice 10.9 R4 application.

 

icon_cross-reference

More details see chapter List of ArcGIS-Enterprise OAuth Authorization bindings.

 

6. Adjustments in the WebOffice Project Configuration

In the respective project configurations, the ArcGIS server map service connections in the Map Collection must be adapted accordingly to the https URL of the ArcGIS federated server.

 

In a ArcGIS federated server scenario it is not possible to use the WebOffice author standalone in a WebOffice 10.9 R4 project configuration to assign user credentials for an ArcGIS Server map service connection.

 

icon_comment

In a federated server scenario, the parameter federated server = true" must be enabled for the ArcGIS Server Server Publisher User in the application configuration.

 

icon_cross-reference

The base URL to the ArcGIS federated server, which was previously defined in the List of ArcGIS Server Publisher Users in the WebOffice application configuration, must be identical to the server URL in the ArcGIS Server Map Service of the Map Collection (case sensitive).

 

The necessary configurations are now completed.

 

7. Usage

After configuration, testing takes place in the case of use when calling up a WebOffice project that consumes map services from a federated server.

If the WebOffice 10.9 R4 project is called in the browser, the following authorization message appears in the browser:

Authorization message when calling up the WebOffice project

Authorization message when calling up the WebOffice project

 

This must be approved in order to access the map services from the federated server and thus open the WebOffice 10.9 R4 project.

 

8. Adding the app to the App Launcher

If you want to hide this request message for authorization, proceed as follows:

In portal, the Web App must be added to the App Launcher

icon_cross-reference

More information on this topic can be found in the ArcGIS online help in the chapter Manage Apps in the app launcher.

As a result, members from the portal are no longer prompted for approval in the dialog box when a WebOffice 10.9 R4 project is started.

 

In your portal, open Organization > Edit Settings > General.

Navigate to the app launcher section on the page and click Add App.

 

App to WebOffice application must be added to the app launcher

App to WebOffice application must be added to the app launcher

 

Select the app to your WebOffice application you just created from the Select App drop-down list on the Registered App tab. This list shows only apps currently registered in the portal.

 

Selection of your registered app

Selection of your registered app

 

Enter a label for the app and click Next. The App Launcher shows an icon to display the respective app. Set the display to a maximum of four characters or upload a graphic to display the app.

In the apps added here, members are not prompted to enter in the Request Permissions dialog box.

The apps added are displayed to members with access to the app element in the app launcher on the portal page.

 

Apps in the app launcher of the portal page 

Apps in the app launcher of the portal page

 

With this configuration, the Portal App launcher automatically redirects to the registered WebOffice 10.9 R4 application when a project call is made.

Click on the app in the app launcher to redirect to the WebOffice 10.9 R4 Landing Page, where the WebOffice 10.9 R4 project can be started

If the URL for the WebOffice 10.9 R4 project is entered directly in the browser, the WebOffice 10.9 R4 project is entered directly.

In both cases, the dialog box is suppressed and the approval for the user happens automatically in the background.

 

Click on the app in the app launcher - Redirection to the landing page 

Click on the app in the app launcher - Redirection to the landing page

 

The WebOffice project could be called successfully for the user 

The WebOffice project could be called successfully for the user

Conclusion:

The WebOffice 10.9 R4 project consumes map services hosted on a federated server without a service user and password configured in the  WebOffice 10.9 R4 project configuration for the corresponding map services.

Due to the integrated Windows authentication and the corresponding configurations in Portal for ArcGIS and  WebOffice 10.9 R4 Application Configuration, a user (prerequisite is, that he is a member of the Windows Active Directory and Portal for ArcGIS and has corresponding group permissions) successfully access the  WebOffice 10.9 R4 project without problems regarding license violation and without further login intermediate pages and consume the map services hosted by the portal group in the  WebOffice 10.9 R4 project.