Configure iShare GIS Security using AD FS

Note

This document has now been superceded by Integrate iShare GIS with ADFS


iShare GIS interrogates Active Directory to identify iShare roles access for users. If the iShare GIS installation sits outside the Active Directory domain then it's not possible for the interrogation to take place. The replacement mechanism for this is Active Directory Federation Services (AD FS) which is designed to allow single sign-on access to systems across organisation boundaries.

Users access the iShare GIS application through Internet Explorer. Their domain user account and authentication details are passed to the iShare GIS Web Server which uses this information to query the client AD FS server. The AD FS server returns Roles and Groups information for each user. These roles relate to local Windows groups on the iShare GIS server and thus allow iShare GIS to control access to the mapsources / profiles.

For instance a client Active Directory may contain two security groups;

  • iSHARE-USERS-GROUP
  • iSHARE-ADMIN-GROUP

Through AD FS these two security groups are mapped to two local groups on the iShareGIS Server via the AD FS configuration.

  • iSHARE-USERS-GROUP is mapped to a iShareUsers local group
  • iSHARE-ADMIN-GROUP is mapped to a iShareAdmin local group

The AD FS management are able to include users in either of the two Active Directory security groups. The iShare GIS administrator is able to create roles in Studio, using the Roles Editor, that link to the local groups and then assign Roles to the Map Sources. To introduce further groups additional security groups should be created in Active Directory and mapped to a chosen local group in AD FS. The iShare GIS administrator can then create additional roles in Studio that link to the new local groups and apply them to the mapsources as required.