Update Identity Store | ArcGIS REST APIs

URL:: https://<root>/security/config/updateIdentityStore
Methods:: POST
Version Introduced:: 10.1

Access requirements

Required privileges

The Sever Administrator API requires privilege-based access. An administrator must be assigned a specific user privilege, or role, to access any given endpoint. Listed below are the user privileges or roles an administrator can be assigned that provides access to this endpoint. If multiple privileges are listed, only one needs to be assigned to gain access.

Security and infrastructure Servers

Note that administrators assigned a custom role must also have the administrative View all content privilege assigned to them to access the API directory as an administrator.

Tokens

This API requires token-based authentication. A token is automatically generated for administrators who sign in to the Server Administrator API directory's HTML interface. Tokens generated in this way are stored for the entirety of the session.

Those accessing the API directory outside of the HTML interface will need to acquire a session token from the generateToken operation in the Portal Directory API. For security reasons, all POST requests made to the Server Administrator API must include a token in the request body.

Learn how to generate a token

Description

The updateIdentityStore operation updates the location and properties for the user and role store in your ArcGIS Server site.

While the GIS server does not perform authentication when the authentication tier selected is WEB_ADAPTOR, it requires access to the role store for the administrator to assign privileges to the roles. This operation causes the SOAP and REST service endpoints to be redeployed (with the new configuration) on every server machine in the site, and therefore this operation must be used judiciously.

The table below describes the supported combinations for the user and role stores:

UserRoles	Built-in	Windows	LDAP
Built-in	Supported
Windows	Supported	Supported (same instance)
LDAP	Supported		Supported (same instance)

If your organization includes multiple LDAP servers, you can specify the additional servers using the failOverLDAPServers property. This allows you to configure your organization's highly-available LDAP with ArcGIS Server. When using the property, specify the LDAP server hostname followed by the server's port number. Separate this information with a colon (:), for example, hostname1:10636. To specify multiple LDAP servers, separate each server with a comma (,), for example, hostname1:10636,hostname2:10636.

Although both LDAP and LDAPS URLs are supported, LDAPS is highly recommended to ensure encrypted network traffic between the portal and LDAP server. If LDAPS is not available, an LDAP URL can be used but traffic will be sent in clear-text. Example usage for each are provided below.

Request parameters

Parameter Details

Parameter	Details
`userStoreConfig`	The JSON object representing the user store configuration.
`roleStoreConfig`	The JSON object representing the role store configuration.
`f`	The response format. The default response format is `html`. Values: `html` \| `json` \| `pjson`

userStoreConfig

The JSON object representing the user store configuration.

roleStoreConfig

The JSON object representing the role store configuration.

f

The response format. The default response format is html.

Values: html | json | pjson

Example usages

LDAPS (highly recommended)

The following is a sample POST request for the updateIdentityStore operation:

Use dark colors for code blocksCopy
POST /<context>/admin/security/config/updateIdentityStore HTTP/1.1
Host: organization.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

userStoreConfig={
  "type": "LDAP",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "uid=admin,ou=system",
    "userFullnameAttribute": "displayName",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "ldapURLForUsers": "ldaps://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
    "userEmailAttribute": "mail",
    "usernameAttribute": "uid",
    "caseSensitive": "false",
    "userSearchAttribute": "dn",
  }
}&roleStoreConfig={
  "type": "LDAP",
  "properties": {
    "ldapURLForRoles": "ldaps://xxx:10636/ou=roles,ou=ags,dc=example,dc=com",
    "adminUserPassword": "aaa",
    "adminUser": "CN=aaa,ou=users,ou=ags,dc=example,dc=com",
    "memberAttributeInRoles": "uniquemember",
    "ldapURLForUsers": "ldaps://xxx:10636/ou=users,ou=ags,dc=example,dc=com",
    "rolenameAttribute": "cn",
    "usernameAttribute": "cn",
    "failOverLDAPServers": "hostname1:10636,hostname2:10636"
  }
}&f=pjson

LDAP

The following is a sample POST request for the updateIdentityStore operation:

Use dark colors for code blocksCopy
POST /<context>/admin/security/config/updateIdentitytStore HTTP/1.1
Host: organization.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

userStoreConfig={
  "type": "LDAP",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "uid=admin,ou=system",
    "userFullnameAttribute": "displayName",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "ldapURLForUsers": "ldap://ldapserver:10636/ou=users,ou=ags,dc=example,dc=com",
    "userEmailAttribute": "mail",
    "usernameAttribute": "uid",
    "caseSensitive": "false",
    "userSearchAttribute": "dn",
  }
}&roleStoreConfig={
  "type": "LDAP",
  "properties": {
    "ldapURLForRoles": "ldap://xxx:10389/ou=roles,ou=ags,dc=example,dc=com",
    "adminUserPassword": "aaa",
    "adminUser": "CN=aaa,ou=users,ou=ags,dc=example,dc=com",
    "memberAttributeInRoles": "uniquemember",
    "ldapURLForUsers": "ldap://xxx:10389/ou=users,ou=ags,dc=example,dc=com",
    "rolenameAttribute": "cn",
    "usernameAttribute": "cn",
    "failOverLDAPServers": "hostname1:10389,hostname2:10389"
  }
}&f=pjson

JSON Response example

Use dark colors for code blocksCopy
{"status": "success"}