ArcGIS authentication models and providers

ArcGIS is built with, supports, and evolves with standard IT authentication mechanisms, protocols, and technologies to ensure it integrates smoothly with an existing organization’s security policies, practices, and infrastructure. ArcGIS products follow standard authentication practices when accessing secured resources, including file sources, DBMS sources, and web-based sources.  ArcGIS Enterprise and ArcGIS Online both support a built-in user store as well as a variety of enterprise identity providers (IdPs) that IT organizations use and provide, like Microsoft Entra ID, Active Directory or Okta. ArcGIS clients and servers support authentication across every tier in a single or multi-tier architecture, including accessing web services, portals, DBMSs, file stores, data lakes, and other sources. This topic will provide further details on authentication processes and options that are considered during an architecture design process.

Identity providers

ArcGIS supports and promotes single sign-on (SSO) user authentication experiences that rely on an organization’s existing IdP and associated security infrastructure to manage user identities and credentials and authentication mechanisms.  Integrating with IdPs in this way ensures that ArcGIS seamlessly builds on established mission-critical security infrastructure with robust, centralized user provisioning, administration, monitoring, and auditing resources. ArcGIS integrates with an organization’s IdP through widely-accepted authentication patterns, such as SAML, OIDC, IWA/AD, LDAP, or PKI. This integrated approach simplifies the security model and allows ArcGIS to rely on the IdP to directly authenticate users, provide authentication services, manage access (for example, to add or remove privileges or enable or disable accounts), and provide single sign-on (SSO) user experience as well as vulnerability and intrusion prevention resources.

Establishing identity with ArcGIS

When using web-based resources in ArcGIS, a user establishes an identity after they initially authenticate. Identity can be established through the variety of methods, but the general sequence is described as follows:

  1. A user can initiate a login through an ArcGIS sign in dialog or when they are prompted to authentication, for example, when accessing a secured resource.
  2. An ArcGIS sign in prompt may appear as a redirect, popup or embedded content. Available login options for that specific ArcGIS Enterprise deployment or ArcGIS Online organization will be presented, allowing the user to choose an option or instead, present the only available option if only one is enabled. This sign in window and underlying process are based on OAuth standards, and as such, there are also scenarios when a user might be asked to approve access to an external application, as is the case in other OAuth workflows used by other applications or systems.
  3. In most scenarios, a user will choose to login with their SAML or OIDC Identity Provider. In doing so, they will click a button which triggers a login process to that IdP. Each IdP is configured differently and can support a wide variety of authentication patterns. Successful authentication to that IdP will return the user to ArcGIS with either a SAML Assertion or a set of OIDC claims that identifies the user as a valid user from the IDP’s perspective (approved for that application and properly authenticated). At this point, ArcGIS generates an OAuth code and subsequent ArcGIS access token for the user, who can then access the desired applications or services.
  4. Alternatively, the user may choose to login directly with built-in user, AD or LDAP-based account, entering their credentials into the sign in window of the ArcGIS application. Once successfully authenticated, they receive an OAuth code, which is exchanged for an access token.

However authentication is completed, the resulting user session is based exclusively on the ArcGIS access token. This token is maintained either in application code or stored and communicated as an HTTP cookie and is valid for a specific duration. The default token expiration is 120 minutes, though tokens can be refreshed and requested for longer periods. Along with the access token, a refresh_token is also generated, which can be used to refresh the user’s access token and extend their session when usage goes beyond a two-hour period.

A user identity also includes user-specific attributes that apply across the ArcGIS system and user experience, such as their:

  • User type – such as Viewer, Contributor, Creator or other
  • User role – such as Publisher, Administrator, Custom or other
  • Authorized licenses
  • Various privileges that are set from role-based access controls, such as group membership

When using desktop-based resources in a traditional client-server configuration such as a DBMS or file server, the user’s identity is based on the security model associated to the server technology or operating system capability.

In backend automation scenarios, like server-to-server or operating system process-based communications, the client in those interactions follows the patterns above to establish identity with associated credentials.

Further information on ArcGIS-specific authentication patterns can be found on the Esri Developer site.

User authentication protocols and mechanisms in ArcGIS

To establish a user or programmatic session with ArcGIS Enterprise or ArcGIS Online, the following supported standard industry protocols and mechanisms are used to authenticate users and clients across the ArcGIS system. They include:

Enterprise identities - SAML and OIDC

Esri provides support for SAML-based logins in ArcGIS Enterprise and ArcGIS Online along with a set of identity provider-specific documentation. OpenID Connect (OIDC) is also fully supported for ArcGIS Enterprise and ArcGIS Online organizations. Esri recommends the use of SAML or OIDC logins for all organizations where this option is available.

In the context of ArcGIS, both SAML and OIDC facilitate secure access by enabling users to sign in using their existing credentials from a trusted identity providers, such as Google, Microsoft Entra ID, Okta or other enterprise identity systems. When a user attempts to access an ArcGIS system without a current authentication session, they are redirected to the identity provider to authenticate. The identity provider handles the authentication step, where a username, password, one-time code or other factors are provided to the system, and if successful, the identity provider issues a SAML assertion or OIDC claim, which is sent back to ArcGIS to validate the user’s identity.

Benefits of using SAML or OIDC include:

  • Streamlined user experience: With single sign-on enabled by SAML or OIDC, users can access multiple applications with a single set of credentials. This reduces the need to remember multiple usernames and passwords, enhancing the overall user experience.
  • Improved security: these patterns leverage strong authentication mechanisms provided by the identity provider, such as multi-factor authentication (MFA). This ensures that only authorized users can access sensitive resources.
  • Centralized identity management: Organizations can manage user identities and access permissions centrally through their identity provider. This simplifies user administration and ensures consistent security policies across all integrated applications.
  • Reduced IT overhead: By using SAML or OIDC for authentication, IT departments can reduce the time and effort required to manage multiple authentication systems. This leads to lower administrative costs and more efficient use of resources.
  • Improved compliance: Centralized authentication and authorization help organizations maintain compliance with security standards and regulations. It provides a clear audit trail of user access and activity across all applications.
  • Flexible authentication options: For temporary users or third-party external contractors, who may not have permanent accounts with the centralized identity provider, built-in accounts can be created and used as needed and ArcGIS supports simultaneous use of both patterns.
  • Mobile GIS apps: Enterprise identities are particularly useful for mobile GIS applications, such as ArcGIS Field Maps and ArcGIS Survey123, where users need to access secure resources on the go. By using this pattern, these apps can provide a seamless and secure login experience, leveraging existing identity providers to authenticate users.
  • Third-party applications: Developers building third-party applications that interact with ArcGIS can use similar authentication patterns to securely access user data and support cross-app sessions with single sign-on. This allows for the creation of innovative solutions that extend the capabilities of ArcGIS while maintaining robust security standards.

Built-in identity store for ArcGIS Server components and Portal for ArcGIS

How it works

The built-in identity store allows you to manage users and groups directly within the ArcGIS Server components or Portal for ArcGIS. This means you don’t need an external system to handle user authentication. ArcGIS takes care of the authentication process, verifying usernames and passwords stored within its own database. This method is often used for initial setup, development, and testing because it allows for quick and easy account creation.

Practical Example

Imagine you’re setting up a new ArcGIS Enterprise portal for a small team of GIS professionals. You can quickly create user accounts for each team member directly in the portal. Each user can then log in with their credentials to access maps, apps, and other resources shared within the organization.

Advantages

Ease of Use - No need for complex integration with external systems.

Quick Setup - Ideal for getting started quickly, especially in development and testing environments.

Self-contained - All user data is managed within the portal, simplifying administration.

Limitations

Scalability - Not ideal for medium to large organizations with many users, as it can become cumbersome to manage.

Security - May not meet the stringent security requirements of some organizations compared to using LDAP or SAML.

IWA, AD and LDAP

Integrated Windows Authentication (IWA) and Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) protocols, which are only available with ArcGIS Enterprise, are commonly used within organizations for internal-facing or on-network workflows. Esri only recommends use of IWA, AD and LDAP configurations for internal-facing deployments of ArcGIS Enterprise.

Additional patterns

Public Key Infrastructure (PKI) using client certificates is used across several authentication patterns, including IWA, SAML and OIDC.

Multi-Factor Authentication (MFA), is often applied to ArcGIS built-in logins or applied as part of a SAML or OIDC process using an external identity provider. This is a recommended best practices, especially for highly-privileged accounts.

Application-based authentication is another pattern of authentication, related to the built-in user pattern, where authentication is completed using API Keys or client ID and client secret pairs.1

ArcGIS also supports anonymous user access to most resource types across the system, for organizations which have a requirement for either open access on their WAN, or public access to applications through the internet.

  1. API keys are supported with ArcGIS Location Platform, ArcGIS Online and ArcGIS Enterprise at version 11.4 or later. 

Server-to-server authentication

While most use workflows completed in ArcGIS systems are user-based, where a person is interacting with a web page or application that issues requests to a server, other workflows require a server-to-server or programmatic level of interaction, whether for integrating between systems, automating data tasks, or providing some other level of connectivity between different server-like or backend systems.

While server-based requests that allow an anonymous identity are simple to support, there are many options for authenticating these requests when the service or endpoint is secured, and some level of authentication or identification is required. Some general recommendations in this area include:

  • Most server-to-server communications cannot use a SAML-based or OIDC-based authentication pattern as these IdPs require interactive login experiences using an HTML interface, and often include multi-factor authentication prompts or captcha-style validation.
  • Requests that originate from within a geoprocessing tool or scheduled script tool running on a server will generally assume the identity of the service account or local account running that process. Especially with IWA-based scenarios, the identity and settings for this user account can significantly affect the success of a server-side request.
  • The use of an ArcGIS OAuth-based refresh_token (generated from a built in or enterprise identity provider), can be embedded in a system and used to generate session tokens on an as-needed basis. A valid refresh token can also be exchanged for a new refresh token, so logic can be created to maintain this refresh token and keep it valid indefinitely.
  • API keys are another potential method to authenticate server-side processes, where an API key can be generated for a specific service and workflow and used by a server-side process to authenticate and perform certain operations such as geocoding or routing requests.
Top