- URL:
- https://<root>/security/config/updateIdentityStore
- Methods:
POST
- Required Capability:
- Access allowed with the "Security and Infrastructure" privilege
- Version Introduced:
- 10.2.1
Description
The update
operation changes the identity provider and group store configuration for ArcGIS Enterprise. When Portal for ArcGIS is first installed, ArcGIS Enterprise is configured support token-based authentication and built-in groups using the built-in identity store. This configuration can be modified to enable ArcGIS Enterprise to connect to your enterprise authentication mechanism and group store by changing the type
of provider and modifying the configuration properties appropriately. For more information, see the Example usage section below.
Request parameters
Parameters | Details |
---|---|
| JSON that specifies the properties being changed for the identity provider. |
| JSON that specifies the properties being changed for the group store. |
| The response format. The default is Values: |
Identity and group store properties
Properties | Details |
---|---|
| Specifies the authentication mechanisms for the identity store and group store. Values: |
| The password for the domain account. Example
|
| Indicates if the Values: |
| A user account with at least read permissions to look up the email addresses and user names of users in your organization. If possible, use an account whose password does not expire. Example
|
| The attribute in Windows Active Directory or LDAP that contains the full name of the users. Example
|
| The URL to your LDAP that points to the user accounts. The URL to your LDAP will need to be provided by your LDAP administrator. Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between Enterprise portal and LDAP servers. If LDAPS is not available, an LDAP URL can be used but traffic will be sent in clear-text. This property is not applicable when configuring Windows Active Directory. Example
|
| The URL to your LDAP that points to the roles. The URL to your LDAP will need to be provided by your LDAP administrator. Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between ArcGIS Enterprise and LDAP servers. If LDAPS is not available, an LDAP URL can be used but traffic will be sent in clear-text. This property is not applicable when configuring Windows Active Directory. Example
|
| The attribute in Windows Active Directory or LDAP that contains the email addresses of the users. Example
|
| The LDAP attribute of the user entry that is to be treated as the user name. This property is not applicable when configuring Windows Active Directory. Example
|
| When using LDAP and PKI to secure access to Enterprise portal, you'll need to specify the value for |
| In the rare case where your Windows Active Directory is configured to be case sensitive, set this property to Values: |
| This property controls whether LDAP referrals are followed when ArcGIS Enterprise queries domain controllers for user or group information. By default, this is set to Values: |
| The IP address of the domain controller to be used by Enterprise portal. You'll need to specify the domain controller if your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers. Multiple IP addresses can be listed and IPv6 addresses are supported. |
| The IP address of the domain controller for specific domains. Multiple domains can be listed along with multiple IP addresses for each domain. The IP addresses can be either IPv4 or IPv6. Example
|
| This property is only applicable when configuring the group store. By default, each time an enterprise user signs in to Enterprise portal, the groups are refreshed automatically. If this behavior adversely affects login performance, it can be disabled by setting the value of this property to Values: |
| This property is only applicable when configuring the group store. ArcGIS Enterprise periodically refreshes all user memberships. This property determines the interval at which the refresh repeats. The default value is |
| Determines the start time of the periodic refresh. The format is a 24 hour clock string. The default start time is midnight ("00:00"). The refresh operation may be computationally expensive, so it is recommended that the refresh time not be during business hours when Enterprise portal may be busy. This property is only applicable when configuring the group store. |
| This property is only applicable when configuring the user store with Windows Active Directory and using portal-tier authentication to sign in. By default, Values: |
| This property applies to the Windows Active Directory only. It enforces encrypted communication between ArcGIS Enterprise and Active Directory. When the property is set to Values: |
| Introduced at 10.8, this property applies to both Windows Active Directory and LDAP. This property can be used to return the actual first name value stored in the Windows Active Directory or LDAP identity store. |
| Introduced at 10.8, this property applies to both Windows Active Directory and LDAP. This property can be used to return the actual last name value stored in the Windows Active Directory or LDAP identity store. |
| Introduced at 10.9. Defines the SASL authentication scheme used by Portal for ArcGIS to connect to the domain controllers via LDAP. In 10.9, the only SASL authentication scheme that is supported is GSSAPI. Example
|
| Introduced at 10.9. Defines the path to the Kerberos configuration text file that is needed when utilizing the GSSAPI SASL authentication scheme. This file needs to reside in a location that the Portal for ArcGIS service account has read-access to. Example
This configuration file is standard for Kerberos and should include default configuration settings and information on one or more Kerberos domain controllers for each Kerberos realm. An example is shown below: Example
|
Example usage
The following is a sample POST request for the update
operation:
POST /webadaptor/portaladmin/security/config/updateIdentityStore HTTP/1.1
Host: machine.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []
userStoreConfig={
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"userFullnameAttribute": "displayName",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "uid",
"caseSensitive": "false",
"userSearchAttribute": "cn",
}
}&groupStoreConfig={}&f=pjson
Configuration examples
The following examples can be used to update Enterprise portal's identity and group store to:
- Configure enterprise users and built-in groups
- Configure enterprise users and enterprise groups (Windows Active Directory or LDAP)
- Configure built-in Enterprise portal users and groups
Configure enterprise users and built-in groups
Windows Active Directory example
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "WINDOWS",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "mydomain\\winaccount",
"userFullnameAttribute": "displayName",
"userEmailAttribute": "mail",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"caseSensitive": "false"
}
}
In most cases, you will only need to alter values for the user
and user
properties. In the rare case where Windows Active Directory is configured to be case sensitive, set the case
property to true
.
Update the group
parameter to include an empty JSON object. This will force ArcGIS Enterprise to use built-in groups.
LDAPS example (highly recommended)
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"userFullnameAttribute": "displayName",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "uid",
"caseSensitive": "false",
"userSearchAttribute": "cn",
}
}
Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between Enterprise portal and LDAP servers. If LDAPS is not available, an LDAP URL can be used but traffic will be sent in clear-text.
Update the group
parameter to include an empty JSON object. This will force ArcGIS Enterprise to use built-in groups.
LDAP example
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"userFullnameAttribute": "displayName",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"ldapURLForUsers": "ldap://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "uid",
"caseSensitive": "false",
"userSearchAttribute": "cn",
}
}
In most cases, you will only need to alter values for the user
, user
, and ldap
properties. The URL to your LDAP will need to be provided by your LDAP administrator. If your LDAP is configured to be case insensitive, set the case
property to false
. The account you use for the user
property needs permissions to look up the email address and user names of users in your organization.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://ldapserver:10636/dc=example,dc=com
Update the group
parameter to include an empty JSON object. This will force ArcGIS Enterprise to use built-in groups.
Configure enterprise users and enterprise groups
Windows Active Directory example
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "WINDOWS",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "mydomain\\winaccount",
"userFullnameAttribute": "displayName",
"userEmailAttribute": "mail",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"caseSensitive": "false"
}
}
In most cases, you will only need to alter values for the user
and user
properties. The account you use for the user
property only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, use an account whose password does not expire. In the rare case where Active Directory is configured to be case sensitive, set the case
property to true
.
Update the group
parameter with the group information from your organization's enterprise identity store:
{
"type": "WINDOWS",
"properties": {
"isPasswordEncrypted": "false",
"userPassword": "secret",
"user": "mydomain\\winaccount"
}
}
In most cases, you will only need to alter values for the user
and user
property. The account you use for the user
property only needs permissions to look up the names of Windows groups on the network. If possible, use an account whose password does not expire.
LDAPS example (highly recommended)
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"userFullnameAttribute": "displayName",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "cn",
"ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "uid",
"caseSensitive": "false",
"userSearchAttribute": "cn",
}
}
Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between Enterprise portal and LDAP server. If LDAPS is not available, an LDAP URL can be used but traffic will be sent in clear-text.
Update the group
parameter with the group information from your organization's enterprise identity store:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"ldapURLForRoles": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "cn",
"caseSensitive": "false",
"meberAttributeInRoles": "member",
"rolenameAttribute": "cn"
}
}
LDAP example
The codeblock below specifies the input JSON object for the user
parameter:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"userFullnameAttribute": "displayName",
"userGivenNameAttribute": "givenName",
"userSurnameAttribute": "sn",
"ldapURLForUsers": "ldap://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "cn",
"caseSensitive": "false",
"userSearchAttribute": "cn"
}
}
In most cases, you will only need to alter values for the user
, user
, and ldap
properties. The URL to your LDAP will need to be provided by your LDAP administrator. The account you use for the user
property needs permissions to look up the email address and user names of users in your organization. If your LDAP is configured to be case insensitive, set the case
property to false
.
In the above example, the LDAP URL refers to users within a specific OU (ou=users). If users exist in multiple OUs, the LDAP URL can point to a higher level OU or even the root level if needed. In that case, the URL would instead look like this:
"ldapURLForUsers": "ldaps://bar2:10636/dc=example,dc=com"
Update the group
parameter with the group information from your organization's enterprise identity store:
{
"type": "LDAP",
"properties": {
"userPassword": "secret",
"isPasswordEncrypted": "false",
"user": "uid=admin,ou=system",
"ldapURLForUsers": "ldap://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"ldapURLForRoles": "ldap://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
"userEmailAttribute": "mail",
"usernameAttribute": "cn",
"caseSensitive": "false",
"memberAttributeInRoles": "member",
"rolenameAttribute": "cn"
}
}
Configure built-in Enterprise portal users and groups
Pass in empty JSON objects for the user
and group
parameters to force ArcGIs Enterprise to use built-in groups and the built-in identity store.