PKI and client certificates

One common method for securing communication between clients and services is the use of client certificate authentication. This term can cover to a broad definition of client and server workflows. For example, it can be leveraged for a user requesting a web page, or a backend system connecting to an API in a server-to-server communication. PKI certificates can be used to encrypt web communications, sign code and applications, authenticate a user to a remote system or person-to-person communication through patterns like Pretty Good Privacy (PGP).

Client certificates are typically generated for a user from a certificate authority that is maintained or managed by an enterprise IT organization. They are stored in the operating system store, on a separate device, or other storage mechanism such as a USB key or a smart ID card. They can be connected to multiple different computers to allow the user to authenticate from different locations.  

Client authentication to ArcGIS services

In ArcGIS systems, the most common relevant use of client certificates involves users authenticating to an authentication provider. Two main implementation patterns for this workflow are described below.

Web-tier authentication

In ArcGIS Enterprise, web-tier authentication refers to a pattern where a web server hosts an installation of ArcGIS Web Adaptor to establish authentication. The general flow of this pattern includes the following:

  1. When a user first attempts to access ArcGIS Enterprise, such as the ArcGIS Server or Portal for ArcGIS component, the web server responds to a user request with a challenge to provide a client certificate.
  2. The user can choose to provide a certificate, which is validated against the trust store of the web server. If validated, the ArcGIS Web Adaptor will send the user’s username to the component, which in turn, establishes a session.

This process does not require the client certificate to be sent to or trusted by ArcGIS Enterprise. No password is exchanged or validated with the ArcGIS component. The implicit trust of the client certificate authentication process is what grants the user access.

SAML or OIDC-based IdP

This pattern is increasingly popular as modern authentication methods are introduced. It involves the use of a client certificate to authenticate the user to a SAML or OIDC-based Identity Provider (IdP). In this pattern, there is no client certificate authentication interaction with ArcGIS Enterprise or ArcGIS Online. Rather, the workflow is as follows:

  1. When a user attempts to log in to ArcGIS, they are prompted to initiate a SAML or OIDC-based login process to their IdP.
  2. Their IdP, usually a separately managed and hosted system, can choose to allow a number of different authentication patterns, which might include client certificate authentication through a smart card or OS-managed certificate, among other options like username and password-based authentication.
  3. Once the user has successfully authenticated to the IdP, their session is initiated with ArcGIS through a SAML Assertion or OIDC claim, and the client certificate is not requested again until their session expires.

Service to service authentication with PKI

One additional pattern of client certificate-based authentication has to do with requests that originate from a server-side component, web service or other process, as opposed to an individual user’s session through software, such as a web browser. This process can occur in a wide variety of workflows, including:

  • An ArcGIS Server print service attempts to connect to a PKI-secured endpoint for a map or feature service.
  • A cloud-managed API service authenticates to a backend or on-premises service and requires client certificate authentication.

In these scenarios, a configuration must be applied to provide a client certificate for the service to use to authenticate to the backend system. This can take many forms or be configured in different ways.

Other considerations and recommendations

  • PKI authentication from native and mobile applications built with ArcGIS Maps SDKs may require particular attention due to the use and storage of client certificates on mobile devices.
  • The implementation of PKI authentication and how users interact with it can vary significantly between individual users’ configurations of their operating system, browser, and settings.
  • Troubleshooting PKI-related issues or errors requires specialized skills and an understanding of the intended design of the overall PKI system within the network or IT environment. Engaging with cybersecurity or IT professionals is important to ensure compliance and proper usage.
  • Client certificates have the same considerations for validity, trust chain, and attributes that web server SSL/TLS certificates include. They should be carefully monitored, updated, and managed so that users do not experience unexpected interruptions.