Skip To Content
ArcGIS Developers
Dashboard

Update Identity Store

Description

This operation updates the identity provider and role (group) store configurations for ArcGIS Enterprise on Kubernetes. The default access mode is token-based authentication and built-in groups using the built-in identity store for account. To configure your organization to connect to your enterprise authentication mechanism and role (group) store, it must be configured to use an enterprise identity store such as Windows Active Directory or LDAP.

Request parameters

ParameterDetails
PARAMETER

Specifies the user store properties. This parameter accepts as input all the properties as defined in the userStoreConfig and roleStoreConfig section below.

userStoreConfig

Specifies the role (group) store properties. This parameter accepts as input all the properties as defined in the userStoreConfig and roleStoreConfig section below.

roleStoreConfig

The response format. The default format is html.

Values: html | json | pjson

userStoreConfig and roleStoreConfig properties

ParameterDetails
userPassword

The password for the domain account.

Example

"userPassword": "secret"
isPasswordEncrypted

Indicates if the userPassword property is an encrypted password or plain text. If the property if false, the API will encrypt the password automatically.

Values: true | false

user

A user account with at least read permissions to look up the email addresses and user names of users in your organization. If possible, use an account whose password does not expire.

Example

//Windows Active Directory
"user": "mydomain\\winaccount"

//LDAP example
"user": "uid-admin,ou=system"
userFulnameAttribute

The attribute in Windows Active Directory or LDAP that contains the users full name.

Example

"userFullnameAttribute": "cn"
ldapURLForUsers

The URL to your LDAP that points to the user accounts. The URL to your LDAP will need to be provided by your LDAP administrator. Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between your deployment and LDAP server. If LDAPS is not available, a LDAP URL can be used, however traffic will be sent in clear-text. This property is not applicable when configuring Windows Active Directory.

Example

"ldapURLForUsers": "ldaps://bar2:10636/ou=users,ou=ags,dc=example,dc=com"
ldapURLForRoles

The URL to your LDAP that points to the roles. The URL to your LDAP will need to be provided by your LDAP administrator. Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between the portal and LDAP server. If LDAPS is not available, a LDAP URL can be used byt traffic will be sent in clear-text. This property is not applicable when configuring Windows Active Directory.

Example

"ldapURLForRoles": "ldaps://bar2:10636/ou=roles,ou=ags,dc=example,dc=com"
userEmailAttribute

The attribute in Windows Active Directory or LDAP that contains the email addresses of the users.

Example

"userEmailAttribute": "mail"
usernameAttribute

The LDAP attribute of the user entry that is to be treated as the user name. This property is not applicable when configuring Windows Active Directory.

Example

"usernameAttribute": "cn"
userSearchAttribute

When using LDAP and PKI, you'll need to specify the value for userSearchAttribute. The userSearchAttribute is the value of the Subject parameter of the PKI certificate. If your organization uses another attribute in the PKI certificate, such as email, you must update the userSearchAttribute to match the Subject parameter in the PKI certificate.

caseSensitive

If your Windows Active Directory to be case sensitive, set this property to true. If your LDAP is configured to be case insensitive, set the parameter to false.

Values: true | false

followReferrals

This property controls whether LDAP referrals are followed when ArcGIS Enterprise on Kubernetes queries domain controllers for user or group information. By default, this is set to true.

Values: true | false

domainControllerAddress

A comma-separated list of one or more hostnames or IP addresses for the domain controllers to be used by ArcGIS Enterprise on Kubernets. This property is required if the user or role (group) store config type is set to WINDOWS.

Note:

ArcGIS Enterprise on Kubernetes always attempts to make a secure LDAPS connection to the domain controller. If the LDAP TLS certificate used by the domain controller is not trusted, or the domain name or IP address used to access it is not included as a subject alternative name in the certificate, the connection will fail and ArcGIS Enterprise on Kubernetes will attempt to use a regular LDAP connection.

domainControllerMapping

The hostname or IP address of one or more domain controllers for specific domains. In a multi-domain environment, this is needed to link domain names to specific domain controllers. Multiple domains can be listed along with multiple hostnames or IP addresses for each domain. This property is required if the user or role (group) store config type is set to WINDOWS.

Note:

ArcGIS Enterprise on Kubernetes always attempts to make a secure connection to the domain controller. The TLS certificate used by the domain controller needs to have the hostname or IP address included as a subject alternative name in the certificate for proper certificate verification.

Syntax for multiple domains

domain1.com=hostname1, hostname2; domain2.com=hostname3, hostname4
refreshUserMembershipDuringLoginEnabled

This property is only applicable when configuring the role (group) store. By default, each time an enterprise user signs in to portal, the groups are refreshed automatically. If this behavior adversely affects login performance, it can be disabled by setting the value of this parameter to false. The default value of this parameter is true.

Values: true | false

membershiprefreshIntervalHours

This property is only applicable when configuring the role (group) store. ArcGIS Enterprise on Kubernetes periodically refreshes all user memberships. This parameter determines the interval which the refresh repeats. The default value is 24 (hours).

membershipRefreshStartTime

This property is only applicable when configuring the role (group) store. This parameter determines the start time of the periodic fresh. The format is a 24 hour clock string. The default time is midnight ("00:00"). The refresh operation may be computationally expensive, so it is recommended that the refresh time not be during business hours when the portal may be busy.

checkForMultipleUsernameFormats

This property is only applicable when configuring the user store with Windows Active Directory and using portal-tire authentication to sign in. By default, checkForMultipleUsernameFormats is false, and any enterprise users that sign in will need to use the following username formats: DOMAIN\username or username@DOMAIN. If checkForMultipleUsernameFormats is true, your portal will attempt to use different username formats if the initial attempt fails (includes username and username@DOMAIN.com).

Values: true | false

userSSLOnly

This property applies to Windows Active Directory only. It enforces encrypted communication between ArcGIS Enterprise on Kubernetes and Active Directory. When the property is set to true, if encrypted communication fails, the portal does not attempt to communicate without encryption. This property is set to false by default.

Values: true | false

userGivenNameAttribute

This property applies to both Windows Active Directory and LDAP. This property can be used to return the actual first name value stored in the windows Active Directory or LDAP identity store.

userSuernameAttribute

This property applies to both Windows Active Directory and LDAP. This property can be used to return the actual last name value stored in the Windows Active Directory or LDAP Identity Store.

Example usage

The following is a sample POST request for the updateIdentityStore operation:

POST /context/admin/security/config/updateIdentityStore HTTP/1.1
Host: organization.domain.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

userStoreConfig={
  "type": "WINDOWS",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "mydomain\\winaccount",
    "userFullnameAttribute": "displayName",
    "userEmailAttribute": "mail",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "caseSensitive": "false",
    "domainControllerAddress": "10.50.4.36, 10.48.4.1",
    "domainControllerMaping": "uc.esri.com=10.50.4.134, 10.50.4.133; esri.com=10.50.4.36, 10.48.4.1"
  }
}&roleStoreConfig={
  "type": "WINDOWS",
  "properties": {
    "isPasswordEncrypted": "true",
    "userPassword": "xxx",
    "user": "mydomain\\winaccount",
    "domainControllerAddress": "10.50.4.36, 10.48.4.1",
    "domainControllerMaping": "uc.esri.com=10.50.4.134, 10.50.4.133; esri.com=10.50.4.36, 10.48.4.1"
  }
}&f=pjson&token=Mb0ORrkLObNO2Q8FZoUCHHzSMzZi0CbhLHNRYMqqa6URG_ojQJF3rNsJAfRB23MyCrLwSmuaHPUo4AEIrUuoH1-4Ot5xh4565FtlQahXAhK2C7Sy0oydZhBwD8KdFSnVlnLr-e9uI5ovSWZ2lGNn9SwoV2MPMzeAh_5r-q-wgwF8DTT_nhuCXJGkMRy-48jjGS2aN5FI18STHZ8RAuKxGasH90SI3C7njZzlGCUrY5m6BDhCMsdpZA14GwNX8Cis

JSON Response example

{"status": "success"}