[GIS] Does ArcGIS for Server support others using own credentials (Single Sign On) for Federated Services

Question

I have a number of secured ArcGIS 10.2 for Server (AGS) services which a number of other companies use as well. At the moment we have created domain accounts on our domain which they need to access the services.

However, does ArcGIS 10.2 for Server allow me to setup my site as a federated resource partner so that the other companies can use their own credentials instead (Single Sign On).

I know that arcgis.com and the Portal will allow you to do it but haven't found anywhere about doing it on your own AGS installation?

Answer 1

At the time of writing, out of the box, there is not a way to allow users from more than one active directory to access your ArcGIS Server.

ArcGIS Server can hook into a single active directory. I am not a security boff, but you could investigate (stack overflow question?) the possibilities combining domains from different active directories with other products or at the domain controller end. I have heard of this being done, but cannot provide you with anything concrete.

ArcGIS.com allows you to setup Enterprise Logins, which makes use of SAML Web Single Sign On. SAML is an open standard to securely exchange authentication and authorization data between an identity provider (your organization) and a service provider (in this case, ArcGIS Online). Now, I would like to be corrected on this, but as far as I can see, whilst it is possible to consume multiple identity stores with the SAML model, ArcGIS.com only appears to allow you to point to one authentication server. Therefore, only one active directory. This might be by design, as what happens when it finds 'Adam Smith' in multiple stores?

As for Portal, this also relies on there being a singular identity store (i.e. One Active Directory).