00:01One of the requirements for a platform is to make it available to all authorized users...
00:07...and to prohibit unauthorized use.
00:10So, on the surface, this might sound like usernames, passwords and SSL.
00:15But there's a lot more happening with PKI authentication and SAML single sign-on.
00:20To learn more about this, please welcome Gary Sheppard.
00:24Thanks John, Thank you.
00:27If you're a system administrator, or an IT manager...
00:31...you need to know what I'm going to show in the next few minutes.
00:36You should be aware of this, too.
00:38Now, with servers and clients, we have well-known ways of trusting servers.
00:42For example, my bank's website uses HTTPS, so that I can trust the server.
00:49But how does the server trust me?
00:51Well, I enter my username and password, but that doesn't necessarily prove that it's...
00:57...Gary Sheppard, it just proves it as someone that knows my username and password.
01:01That might be me, or it might be someone with whom I shared my username...
01:05...and password, or maybe they got it from this sticky note I left on my monitor.
01:12Now these bad practices with passwords make it hard to trust clients.
01:16Let's look at some other industry-standard authentication mechanisms...
01:21...and how they work with the ArcGIS platform.
01:25One option is PKI client authentication.
01:28With PKI, a user has a public-key certificate and a corresponding private key.
01:35The user uses the certificate and key to authenticate to a server.
01:40The certificate and key are just files, but a great way to protect them is to put them on...
01:45...a PIN-protected smart card, like this.
01:48This is the same technology as a CAC card, which many of you use daily.
01:54Let's insert our card into the smart-card reader.
01:58And now, if we navigate to an ArcGIS-based application...
02:03...the browser challenges us for a certificate.
02:06Now, this is two-factor authentication.
02:08The first factor is our certificate and the second factor is a PIN.
02:13With that certificate, ArcGIS for server can authenticate us and give us access to...
02:18...GIS services, including this map of stability operations information in Afghanistan.
02:24That's a pretty simple user experience, but behind the scenes...
02:29...ArcGIS for Server uses an LDAP identity store...
02:33...to verify that the certificate we presented corresponds to a valid user.
02:40Let's see how PKI looks in a different client, ArcGIS for Desktop.
02:44Now, if we connect to a GIS server, we present our certificate and our PIN...
02:50...and then ArcGIS authenticates us and gives us access to maps and other services.
02:57This PKI client authentication to ArcGIS for Server works in Desktop, web...
03:05...and the run-time SDKs, including mobile.
03:08You can use this today with the ArcGIS December update.
03:15Now let's look at some options that are coming with the June update of ArcGIS.
03:23For example, this browser already has the certificate information from the smart card.
03:28So it will use that certificate when we navigate to our organization's portal for ArcGIS.
03:36Now we have access to content...
03:38...both content that we own and content that's been shared with us.
03:42This PKI authentication to portal is coming in the ArcGIS June update...
03:47...with corresponding support in Desktop, web and mobile clients.
03:53Here's one more feature that's coming soon: Enterprise single sign-on for ArcGIS Online.
04:00Single-sign on provides convenience and improved security by having a single...
04:06...identity server for an organization.
04:09One popular single sign-on technology is SAML.
04:13Starting in June, ArcGIS Online will support SAML single sign-on.
04:18And here's how it will work...
04:20...Let's retrieve our smart card because we don't need it this time.
04:23Let's say that I work for Harbour Energy, and when I go to ArcGIS Online...
04:28...I can use my company's internal identity server to log in.
04:33You will need to do this with your organization's identity server.
04:37This log-in form is provided by whatever identity server we're using.
04:43Now when I log in, the SAML identity server provides a certificate to the browser.
04:54The browser uses that certificate to prove to ArcGIS Online that we've logged in.
05:00And then ArcGIS Online grants us access.
05:05That same log-in could be used to provide access to other resources...
05:09...both inside our organization and elsewhere.
05:13Starting in June, you'll be able to use your SAML identity server...
05:17...to setup authentication to ArcGIS Online.
05:23These are a few of the exciting new options for enhanced authentication in ArcGIS.
05:34I think you said it best: If you're an IT manager, care about security...
05:38...you need to understand all that; if you're an end-user like me...
05:41...just tell me how to log on and make it easy and make it secure.
05:44So thank you very much.
Authentication in ArcGIS
Gary Sheppard demonstrates new authentication options for ArcGIS. The demonstration is part of the 2013 Federal User Conference plenary session. View the full video on http://www.esri.com/events/federal/videos/index.html
- Recorded: Feb 25th, 2013
- Runtime: 05:46
- Views: 515
- Published: Mar 5th, 2013
- Night Mode (Off)Automatically dim the web site while the video is playing. A few seconds after you start watching the video and stop moving your mouse, your screen will dim. You can auto save this option if you login.
- HTML5 Video (Off) Play videos using HTML5 Video instead of flash. A modern web browser is required to view videos using HTML5.