Skip To Content


In this topic

Services provided by portal or by ArcGIS for Server may require a login before they can be accessed. Some portals may provide anonymous access to some resources, but restrict access to others based on organization or group membership. You can add logic to your app that allows the user to access secured content using one of several authentication methods.

Your app can provide access to secured ArcGIS Server, ArcGIS Online, or ArcGIS for Portal resources using the following authorization methods:

  • Tokens: ArcGIS Tokens or OAuth
  • Network credential: HTTP secured service
  • Certificate: Public Key Infrastructure

See the Use ArcGIS token authenticationand Use OAuth 2.0 authentication topics for specific information about accessing resources secured using those methods.

Once authenticated, you can get details about the user from the ArcGISPortal.CurrentUser property. This property returns an ArcGISPortalUser object with properties that describe the user and methods for accessing the user's content. Depending on the value of the Access level, personal details and content may be publically available, or only to the user and administrators.


Authenticating with ArcGIS for Portal or an organization account for ArcGIS Online also provides a way to license your ArcGIS Runtime SDK app at the Standard level. See the License your app topic for more details.

Identity manager

To abstract some of the low level details for working with secure content, the IdentityManager class handles some of the details when accessing secured resources in your app, such as challenging the user for credentials when a secured resource is accessed and storing credentials when the user successfully authorizes. It also manages a collection of server information and available user credentials if they have been provided. When a request for secured content is made to one of the servers in the collection, the identity manager automatically includes the user's credentials in the request or handles getting a credential if one does not exist.

Set up the IdentityManager

IdentityManager is a singleton class, which means there is always exactly one instance. You cannot instantiate an IdentityManager object in your code using new, instead you must reference it using the IdentityManager.Current static property.

IdentityManager maintains a collection of servers for your app that require authentication for access to secured services. You can register a server with the identity manager with its URL and indicate what type of authorization should be used. Depending on the type of authorization used for a server, you may need to provide additional information. OAuth requires a unique ID for the client app and a URL to handle the response, for example. In general, you will register these servers when your app initializes to ensure that the identity manager knows how to handle requests for their services.

The following example registers a server with the IdentityManager with an OAuth user login authentication type (TokenAuthenticationType.OAuthAuthorizationCode) and defines some required information about the client app (OAuthClientInfo).

// Register a portal with the IdentityManager that uses OAuth authentication
var serverInfo = new ServerInfo
 	ServerUri = "",
 	TokenAuthenticationType = TokenAuthenticationType.OAuthAuthorizationCode,
 	OAuthClientInfo = new OAuthClientInfo { ClientId = "2HEtx9ujil5rac8K", RedirectUri = "urn:ietf:wg:oauth:2.0:oob"}


The following members are available on the identity manager to work with registered servers:

Challenge the user for credentials

When a request is made for a secured resource, the identity manager can see if the request is to one of its registered servers. If the user has already authorized with the server, the identity manager will automatically include the user credential with the request. Otherwise, the identity manager will challenge the user for login information according to the authorization method that's been defined for the registered server. The following code will cause a challenge for the user to provide a login if the server is secured and registered with the identity manager.

var portal = await ArcGISPortal.CreateAsync(new Uri(SERVER_URI));


If a server allows public access for unsecured resources, the user may be given access as an anonymous user rather than being challenged for authorization. To explicitly challenge the user, call IdentityManager.GetCredentialAsync().

The details of how a user is challenged for a credential (user name and password, in other words) are handled by components associated with the IdentityManager.

  • Challenge handler - a component that implements the IChallengeHandler interface and is assigned to the IdentityManager.ChallengeHandler property. The challenge handler contains logic for obtaining the required credential for a server, either by providing hard-coded login information or prompting the user to enter it.
  • OAuth authorize handler - a component that implements the IOAuthAuthorizeHandler interface and is assigned to the IdentityManager.OAuthAuthorizeHandler property. The OAuth authorize handler contains logic that's specific to handling authorization using OAuth.
You can use the default handlers and utility classes provided by ArcGIS Runtime SDK for .NET, or those available in the toolkit, as described in the following section of this topic. If needed, you can create custom handler components by implementing the required interfaces. See the Use ArcGIS token authentication topic for more details about setting up a challenge handler.

Add or remove credentials

The identity manager maintains a collection of credentials for use by your app. You can add or remove credentials in this collection as needed. After successfully generating a credential, you must add it to the identity manager's credential collection. Only credentials in the collection will be used to access secured resources.

The following example generates a new credential for connecting to a secure resource, then adds the credential to the identity manager.

    // exception will be thrown here for bad credential ...
    var cred = await Esri.ArcGISRuntime.Security.IdentityManager.Current.GenerateCredentialAsync(
        PORTAL_SERVER_URL, UserTextBox.Text, PasswordTextBox.Password);

    // add the credential if it was generated successfully

    // connecting to the portal will use an available credential (based on the server URL)
    _portal = await Esri.ArcGISRuntime.Portal.ArcGISPortal.CreateAsync(new Uri(PORTAL_SERVER_URL));
catch(ArcGISWebException webExp)
    var msg = "Could not log in. Please check credentials. Error code: " + webExp.Code;



If the user name and password cannot be authenticated by GenerateCredentialAsync, an Esri.ArcGISRuntime.Http.ArcGISWebException is thrown. Make sure you handle such exceptions, as shown in the previous example, especially if you are getting login information from the user. One technique is to ignore such exceptions and connect anonymously (if supported by the server) when authentication fails.

If you no longer need the credential for a server in the identity manager, you can remove it from the collection. This would be equivalent to signing out of a portal. The credential for a particular server can be found in the collection using the server URL. The following example finds the credential for a server and removes it from the collection.

// find the credential for this server
var cred = Esri.ArcGISRuntime.Security.IdentityManager.Current.FindCredential(PORTAL_SERVER_URL);

// remove it from the identity manager

Toolkit utilities

ChallengeHandler and OAuthAuthorizeHandler components can be created by implementing the IChallengeHandler and IOAuthAuthorizeHandler interfaces respectively. In most cases, the handlers provided by the ArcGIS Runtime SDK for .NET Toolkit are sufficient and save you from writing a lot of code. Follow the instructions in the Install the toolkit topic to add the toolkit to your project.

The following example assigns the ChallengeHandler and OAuthAuthorizeHandler properties for the identity manager using the components available in the toolkit (SignInChallengeHandler and OAuthAuthorizeHandler).

IdentityManager.Current.ChallengeHandler = new Esri.ArcGISRuntime.Toolkit.Security.SignInChallengeHandler 
                                                             { AllowSaveCredentials = true };
IdentityManager.Current.OAuthAuthorizeHandler = new Esri.ArcGISRuntime.Toolkit.Security.OAuthAuthorizeHandler();

The AllowSaveCredentials option for the SignInChallengeHandler gives the user the option to store their credentials so they can be used between sessions with your app.

Related topics