Web-tier authentication

Web AppBuilder for ArcGIS (Developer Edition) supports ArcGIS Enterprise with web-tier authentication, such as IWA, PKI, and LDAP.

After signing in to a portal or server with web-tier authentication, you cannot sign out by clearing cookies or closing the tab page on the browser. The only way to sign out is to close your browser completely.

Since web-tier authentication doesn't support proxies, a request to such portal or server cannot and should not be sent by a proxy.

Limitations of web-tier authentication

Web AppBuilder (Developer Edition) running on IE8, IE9, and Safari on Windows does not support web-tier authentication.

Best practices

Keep the following in mind when working with web-tier authentication:

  • In your app's config.json file, if the portalUrl property points to a portal using web-tier authentication, set the isWebTier property to true.
  • If your widgets use resources from a portal or server with web-tier authentication, put the host server domain—with an existing port number if available—into the authorizedCrossOriginDomains array in your app's config.json file. For example, if the Query widget uses the REST services from an IWA-authenticated server and the URL is https://serveriwa.ags.esri.com/gis/rest/services/Test/MapServer, add serveriwa.ags.esri.com to the authorizedCrossOriginDomains array. If the URL is https://serveriwa.ags.esri.com:6443/arcgis/rest/services/Test/MapServer, add serveriwa.ags.esri.com:6443 to the authorizedCrossOriginDomains array.
  • At run time, if you programmatically access resources from a portal or server with web-tier authentication, call the addWithCredentialDomain method to add a single domain or the addAuthorizedCrossOriginDomains method to add multiple domains from the tokenUtils module in the jimu folder.
  • To work with ArcGIS Enterprise seamlessly, apply an SSL certificate for your ArcGIS Enterprise portal regardless of whether it's web-tier authenticated. Don't use a self-signed certificate, as it is easily blocked by the browser. Instead, apply a domain certificate or a worldwide certificate if you can.