WebOffice with ArcGIS Enterprise (Portal for ArcGIS) and SSO authentication |
  
|
WebOffice with ArcGIS Enterprise (Portal for ArcGIS) and SSO authentication |
|
This "How To" chapter describes the use of WebOffice 10.7 SP1 with ArcGIS Enterprise (Portal for ArcGIS) in a federated server scenario with a Single Sign On (SSO) authentication.
Note: For the use of WebOffice 10.7 SP1 with ArcGIS Enterprise in federated server operation, ArcGIS version 10.6 is recommended.
Note: This chapter is based on an already installed and configured federated server scenario with integrated Windows authentication.
Note: More information on this topic can be found in the ArcGIS online help in the chapter Integrate your server with ArcGIS Enterprise.
Note: For more information about the authentication type Single Sign On in WebOffice usermanagement, see the chapter Authenticationtype SSO.
In this case, the following initial scenario must be given for a correct configuration:
•WebOffice 10.7 SP1 with ArcGIS Enterprise in federated server operation (i.e. a server site has been added to Portal for ArcGIS)
▪See Section 1
•The federated server is configured with the Active Directory (AD)-Identity Store (i.e. users and groups come from the Microsoft Windows Active Directory).
Note: More informations about Microsoft Windows Active Directory can be found here.
Note: Also see chapter How to readout Attributes from MS AD.
•ArcGIS Web Adaptor for IIS (Portal): Portal with Integrated Windows Authentication is activated.
▪See Section 2
•Optionally: Automatic portal user creation is activated (i.e. when the portal page is called for the first time, the portal account is automatically read and created from the Active Directory Identity Store due to the integrated Windows Authentication)
▪See Section 3
•The corresponding security certificates from the portal server must be imported into the Java Truststore, ArcGIS Server Truststore (Server Admin Directory) and Portal Truststore (Portal Admin Directory) on the server where the WebOffice 10.7 SP1 application is located.
Note: For step-by-step instructions on adding certificates, see chapter Import of SSL/TLS-Certificates.
•The map services are hosted on a federated server
•The map services (if they are secured services) are only accessible to registered portal users of the federated server (provided that the user is a member of a portal group that is authorized to use the map services).
Schema of using a WebOffice application with ArcGIS Enterprise and SSO authentication to Portal for ArcGIS and WebOffice
The following steps must be carried out in this scenario to ensure a functioning operation with Single Sign On authentication of WebOffice with ArcGIS Enterprise (Portal for ArcGIS):
When you add a server site to your portal, the server connects to the portal. A server that has been added to your portal is called a federated server.
Note: More information on setup and configuration can be found in the ArcGIS online help in the chapter Federate an ArcGIS Server site with your portal.
In this example, a server site has been added to Portal for ArcGIS to a federated server.
General settings in Portal for ArcGIS - Federated server
Access to the portal can be secured using Integrated Windows Authentication (IWA). When using IWA, logon names are managed via Microsoft Windows Active Directory. Users do not have to log in and out of the portal website. Instead, users are logged on to the portal with the same account they use to log on to Windows.
To use the Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) provided for the Microsoft IIS web server.
For both WebAdaptor for IIS (Portal and ArcGIS) Integrated Windows Authentication is activated on the federated server in the IIS Manager. This is necessary for Single Sign On authentication.
ArcGIS and Portal with integrated Windows authentication: Adapting Web Adapters (IIS)
Note:
When using IWA, Apache Tomcat must run under a domain user.
This user must be a member of the organization in the portal.
The content that Tomcat/WebOffice accesses in the portal must be shared with this user. Here, only the map service that is used as the main map service in the WebOffice 10.7 SP1 project is necessary. This service is required for initializing the WebOffice 10.7 SP1 project.
Possible exemplary realization so that the main map service does not have to be released to the entire organization:
•Set up a new group "WebOffice Application" and assign the Tomcat user to this group.
•The main map service must be released to this group.
When using the Authentication Type NTLM scenario, please note that the Tomcat user is also entered in the List of ArcGIS Server Publisher Users.
Note: For this step it is necessary to configure the portal for Windows Active Directory. These steps must be configured on the portal admin page of your portal; the URL has the format https://webadaptorhost.domain.com/portal/portaladmin/. Here you must add the Windows Active Directory user configuration information of your organization (in JSON format). More details can be found in the ArcGIS online manual in chapter Use Integrated Windows Authentication with your portal.
Open your portal website. The URL has the format https://webadaptorhost.domain.com/webadaptorname/home.
After accessing the URL, check whether you are prompted to enter your ArcGIS Enterprise account credentials or whether you are automatically logged in. If you are not logged on automatically, verify that the Windows account that you used to log on to the computer has been added to the portal.
Integrated Windows Authentication (IWA) automatically creates a user account in the portal the first time the user calls the portal URL. The prerequisite is that you manage members via the enterprise identity store of your organization and the user is a member of your organization.
User is activated once and automatically on the portal website (example: SynerGIS Portal)
The map services you want to consume must be hosted on the federated server.
Note: More information on this topic can be found in the ArcGIS online manual in the section Register Services.
The logged-in user must be a member of the group in the portal that is authorized to consume the corresponding map services.
Note: More information on this topic can be found in the ArcGIS online manual in the section What is a group? The groups in the portal can also be linked to groups from Windows AD; for more details, see Link enterprise groups from an IDP.
Group content that is visible to the logged on portal user
To check your permissions, open the URL of the rest interface in the browser. The URL has the format https://webadaptorhost.domain.com/webadaptorname/rest/services.
If your user account was successfully created in the portal using Integrated Windows Authentication, and if you are a member of a group that contains map services hosted on the federated server, you should be logged on automatically after the URL is called, and the services for which your user is authorized are listed:
Calling the services via the REST interface to check authorizations
Adding a new application
Next, a new application (Web Map Application) must be created in the portal for your WebOffice 10.7 SP1 application.
This portal app will later control automatic user authentication in the background when calling the WebOffice 10.7 SP1 project that consumes map services from the federated server. This allows a user to call a WebOffice 10.7 SP1 project without having to specify a specific service user plus password for the map services from the federated server in the WebOffice 10.7 SP1 project configuration.
Note: If the user does not have a portal account or is not a member of any portal group, an error message will appear after the WebOffice 10.7 SP1 project is called because the user has no permission for the map services from the federated server.
Note: More information on this topic can be found in the ArcGIS Online Manual in the Add apps section of the chapter Add items.
To begin, check that you are logged in and have permissions to create content.
In My Content, click Add Item, and then click An Application.
Adding a new application in the portal
Add an application - configuration
The following table lists the parameters that you must select or assign for this necessary configuration, as shown in the previous graphic.
Parameter |
Description |
Type |
Web Mapping (A Web App created using a web API such as JavaScript) |
Purpose |
configurable (Fully functional app that can be provided by configuring a file) |
API |
Choose "Other" |
URL |
URL to your WebOffice Application |
Title |
Enter a title (e.g. the name of your WebOffice application) |
Tags |
Enter tags describing the element. Separate terms with commas |
Click Add Item.
After you have added your application, the page of the newly created application with the Overview and Settings areas opens automatically.
Registration of the application
The next step is to register the newly created application. To do this, switch to the Settings tab for the General Settings of the Web Mapping Application.
Click on the "Settings" tab
At the bottom of this page is the App Registration section. Click Register to register the application.
Scroll to the App Registration section and click "Register"
The App Type is Browser and the Redirect URI must be the URL of the WebOffice 10.7 SP1 application.
Specify the address in the format https://<server>/<WebOffice-Application>.
Note: Redirection URIs are valid addresses to which users of your app can be redirected after they have successfully logged in.
Then click on Add and Register.
Registering the application with redirection URI to your Weboffice Application
Displaying App Registration Information
The App Registration section now lists parameters required to configure authentication in the WebOffice 10.7 SP1 Application Configuration.
You can display the following details:
•App ID
•App Secret
•App Type
•Redirect URI's
Note: To update the Redirect URI's, click Update.
Click Show Secret: This key and the App ID are then copied and pasted into the WebOffice 10.7 SP1 application configuration.
View app registration information
Your portal application with redirection to your WebOffice 10.7 SP1 application is successfully created and registered. Continue for the next steps in WebOffice author.
Open the Application Configuration in WebOffice author.
First it is necessary to add the user account of the initial portal administrator to the List of ArcGIS for Server Publisher Users and to enter the server URL to the portal page.
Note: More information on this topic can be found in the ArcGIS online help in the chapter About the initial administrator account.
Configuration in the Application Configuration - Add portal administrator to the List of ArcGIS Server Users
A new subnode must be configured at the WebOffice node: List of ArcGIS-Enterprise OAuth Authorization bindings
Note: OAuth 2.0 (Open Authorization) is an open protocol that allows standardized, secure API authorization for desktop, web and mobile applications.
Note: More information about OAuth 2.0 can be found on the Website.
The parameters of this subnode must be filled with the information of the Web Mapping Application previously created in the portal.
Configuration in the Applicatoin configuration -Authentication type OAuth2
Note:
The Web Adaptor URL of the token service endpoint and the authentication service endpoint is the Web Adaptor URL of the configured portal website used; e.g:
https://webadaptorhost.domain.com/portal/sharing/oauth2/token and
https://webadaptorhost.domain.com/portal/sharing/oauth2/authorize.
Then save the WebOffice 10.7 SP1 Application Configuration and reload the WebOffice 10.7 SP1 application.
Note:
More details see chapter List of ArcGIS-Enterprise OAuth Authorization bindings.
In the respective project configurations, the map service connections must be adapted to the https URLs accordingly.
The necessary configurations are now complete and testing can continue.
After configuration, testing takes place in the case of use when calling up a WebOffice project that consumes map services from a federated server.
If the WebOffice 10.7 SP1 project is called in the browser, the following authorization message appears in the browser:
Authorization message when calling up the WebOffice project
This must be approved in order to access the map services from the federated server and thus open the WebOffice 10.7 SP1 project.
If you want to hide this request message for authorization, proceed as follows:
•In portal, the Web App must be added to the App Launcher
Note: More information on this topic can be found in the ArcGIS online help in the chapter Manage Apps in the app launcher.
•As a result, members from the portal are no longer prompted for approval in the dialog box when a WebOffice 10.7 SP1 project is started.
In your portal, open Organization > Edit Settings > General.
Navigate to the app launcher section on the page and click Add App.
App to WebOffice application must be added to the app launcher
Select the app to your WebOffice application you just created from the Select App drop-down list on the Registered App tab. This list shows only apps currently registered in the portal.
Selection of your registered app
Enter a label for the app and click Next. The App Launcher shows an icon to display the respective app. Set the display to a maximum of four characters or upload a graphic to display the app.
In the apps added here, members are not prompted to enter in the "Request Permissions" dialog box.
The apps added are displayed to members with access to the app element in the app launcher on the portal page.
Apps in the app launcher of the portal page
With this configuration, the Portal App launcher automatically redirects to the registered WebOffice 10.7 SP1 application when a project call is made.
•Click on the app in the app launcher to redirect to the WebOffice 10.7 SP1 Landing Page, where the WebOffice 10.7 SP1 project can be started
•If the URL for the WebOffice 10.7 SP1 project is entered directly in the browser, the WebOffice 10.7 SP1 project is entered directly.
•In both cases, the dialog box is suppressed and the approval for the user happens automatically in the background.
Click on the app in the app launcher - Redirection to the landing page
The WebOffice project could be called successfully for the user
The WebOffice 10.7 SP1 project consumes map services hosted on a federated server without a service user and password configured in the WebOffice 10.7 SP1 project configuration for the corresponding map services.
Due to the integrated Windows authentication and the corresponding configurations in Portal for ArcGIS and WebOffice 10.7 SP1 Application Configuration, a user (prerequisite is, that he is a member of the Windows Active Directory and Portal for ArcGIS and has corresponding group permissions) successfully access the WebOffice 10.7 SP1 project without problems regarding license violation and without further login intermediate pages and consume the map services hosted by the portal group in the WebOffice 10.7 SP1 project.