Hopefully this stops being flagged as too large. I removed all the screenshots.
We got an answer from ESRI (note that for testing we removed security completely from SOME data) Yes, I found a enhancement request saying that ArcGIS Online should support > OGC WMS that are secured at the layer-level, instead of only at the > service-level. > So, we are able to add the public services for /tiger/ows for example but > there is no prompt for the secured layers (tiger_road). ArcGIS Online only > supports WMS that secured at the service-level. > ENH-000117903 - ArcGIS Online should support OGC WMS that are secured at > the layer-level, instead of only at the service-level. > This enhancement is attached to this case, you can find on this link: > https://my.esri.com/#/support/bugs His statement: "ArcGIS Online only supports WMS that secured at the service-level" is NOT supported by their documentation here: Based on this (from ESRI Docs <https://doc.arcgis.com/en/arcgis-online/reference/ogc.htm>) - we are using basic authentication correct? > Secure OGC services > OGC WFS, WMS, and WMTS services secured with web-tier authentication, such > as Integrated Windows Authentication (IWA), a public key infrastructure > (PKI), Basic, or Digest access authentication, are supported. OGC WFS, WMS, > and WMTS services secured with token-based authentication are not > supported. Configure support for OGC services secured with web-tier > authentication by adding the server hosting the services to your > organization’s list of trusted servers > <https://doc.arcgis.com/en/arcgis-online/administer/configure-security.htm#ESRI_SECTION1_70CC159B3540440AB325BE5D89DBE94A> > . The server must support Cross-Origin Resource Sharing (CORS); > otherwise, layers hosted on the server will not function as expected in ArcGIS > Online. Additionally, CORS must be configured to allow the specific > domains > <https://enterprise.arcgis.com/en/server/latest/administer/windows/restricting-cross-domain-requests-to-arcgis-server.htm> > that > will be used to communicate with the server, such as your ArcGIS Online > organization > domain. > Once you've added the server to the list of trusted servers, you can add > your OGC services to Map Viewer Classic or as an item. If authentication > is necessary, users adding or viewing secured OGC layers will be prompted > to enter their credentials. For testing I changed the GeoServer configuration to require an authenticated user at: Service access rules list And removed the rule that only authenticated users could read from: Data Security *However I am not convinced that this is actually accurate information from ESRI*. I can still not access the service from AGOL. Vera On Mon, May 31, 2021 at 1:38 PM Vera Green <vera.green...@gmail.com> wrote: > Reply from ESRI: >> >> This is Esri Canada Technical Support, I understand that you have >> questions about secured OGC services in ArcGIS Online. >> OGC WFS, WMS, and WMTS secured services are supported in ArcGIS Online >> with the following authentication types: >> - Web-tier authentication, such as Integrated Windows Authentication >> (IWA), a public key infrastructure (PKI), Basic, or Digest access >> authentication. >> OGC WFS, WMS, and WMTS services secured with token-based authentication >> are not supported. >> Additional information about the settings required for the supported >> scenarios you can find here: >> https://doc.arcgis.com/en/arcgis-online/reference/ogc.htm > > > We have informed them that we are using Basic authentication. > > Vera > > On Mon, May 31, 2021 at 11:42 AM Vera Green <vera.green...@gmail.com> > wrote: > >> Edited to make it <500Kb >> >> On Mon, May 31, 2021 at 11:17 AM Vera Green <vera.green...@gmail.com> >> wrote: >> >>> Using the challenge catalogue mode is not an option as in production we >>> do not want to advertise our layer names in the layer preview to >>> unauthenticated users. >>> That being said I did test this and unfortunately it does not change the >>> outcome: >>> >>> - secured layers appear in the layer list >>> - secured layers can be added to the map >>> - secured layers do NOT appear on the map and developer tools say >>> 401: Failed to load resource: the server responded with a status of >>> 401 () >>> >>> Thank you for your assistance, much appreciated. >>> Vera >>> >>> On Sun, May 30, 2021 at 11:43 AM Andrea Aime < >>> andrea.a...@geo-solutions.it> wrote: >>> >>>> Did you try set security to challenge? >>>> AGOL should be seeing all the layers in the caps then, and receive and >>>> auth challenge when trying to access a secured one >>>> >>>> Cheers >>>> Andrea >>>> >>>> Il Dom 30 Mag 2021, 19:03 Vera Green <vera.green...@gmail.com> ha >>>> scritto: >>>> >>>>> Thank you so much for checking into this. We have sent ESRI a help >>>>> request as well and I will let you know what, if anything they come back >>>>> with. >>>>> See comments inline, unfortunately this does not work unless I remove >>>>> the security in which case I can see all the unsecured layers. So this is >>>>> definitely an issue with AGOL not asking for credentials and not using the >>>>> optional parameters. >>>>> >>>>> Details: >>>>> >>>>> Test 1 (no workspace) and 2 (with workspace). This makes sense but >>>>> unfortunately AGOL does not request credentials it says: >>>>> >>>>> >>>>> Then when I add credentials as optional parameters it gets the >>>>> GetCapabilities but can't decipher the layers. >>>>> >>>>> When I do the same thing with: >>>>> https://subdomain.domain.com/geoserver/tiger/wms?SERVICE=WMS&REQUEST=GetCapabilities&VERSION=1.1.1 >>>>> I again get the error and with credentials as optional parameters I >>>>> still get the SAME error. >>>>> >>>>> However when I request this in just a browser (incogneto): >>>>> https://subdomain.domain.com/geoserver/wms?SERVICE=WMS&REQUEST=GetCapabilities&VERSION=1.1.1 >>>>> I get the xml (It does NOT ask for credentials which is odd.) >>>>> >>>>> BUT when I ask for this: >>>>> https://subdomain.domain.com/geoserver/tiger/wms?SERVICE=WMS&REQUEST=GetCapabilities&VERSION=1.1.1 >>>>> I get the authentication request as I would expect. >>>>> >>>>> Then I thought maybe it is the global layer rule that is the issue so >>>>> I changed the permissions to be like this: >>>>> >>>>> Now I CAN see the layers in AGOL BUT only the unsecured once. Still >>>>> not able to see the secured layers, even with the user parameters. >>>>> >>>>> I really appreciate your help, >>>>> Vera >>>>> >>>>> >>>>> On Fri, May 28, 2021 at 7:46 AM Christian R. Picone < >>>>> christian.pic...@geo-solutions.it> wrote: >>>>> >>>>>> Hi Vera, >>>>>> >>>>>> when AGOL makes the request against GeoServer it should use its >>>>>> proxy (if it is not in the trusted server list). >>>>>> >>>>>> This URL seems correct: >>>>>> >>>>>> https://www.arcgis.com/sharing/proxy?https:// >>>>>> subdomain.domain.com/geoserver/wms?SERVICE=WMS&REQUEST=GetCapabilities&VERSION=1.1.1 >>>>>> >>>>>> Now, GeoServer should answer with 401 code because the resources are >>>>>> protected and the catalogue mode is set to MIXED. >>>>>> >>>>>> Receiving this HTTP code the browser should show you the >>>>>> username/password window. >>>>>> >>>>>> >>>>>> 1) Please, can you try to use AGOL with a new session of the browser >>>>>> (better if in incognito mode)? >>>>>> >>>>>> 2) [After test 1]. >>>>>> >>>>>> Can you create a workspace (in GeoServer) with some layers and >>>>>> protect it? >>>>>> >>>>>> Then, can you try to add in AGOL that workspace using: >>>>>> >>>>>> https:// <https://www.arcgis.com/sharing/proxy?https://> >>>>>> subdomain.domain.com/geoserver/<yourworkspace>/wms >>>>>> >>>>>> (remember to use a new session or to open a new incognito tab in your >>>>>> browser). >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Christian R. Picone >>>>>> >>>>>> == >>>>>> GeoServer Professional Services from the experts! >>>>>> >>>>>> Visit http://bit.ly/gs-services-us >>>>>> <https://www.google.com/url?q=http://bit.ly/gs-services-us&sa=D&ust=1586965839430000> >>>>>> for >>>>>> more information. >>>>>> == >>>>>> Dott. Christian R. Picone >>>>>> Senior Project Manager >>>>>> >>>>>> >>>>>> GeoSolutions Italy >>>>>> phone: +39 0584 962313 >>>>>> fax: +39 0584 1660272 >>>>>> >>>>>> https://www.geosolutionsgroup.com/ >>>>>> <https://www.google.com/url?q=https://www.geosolutionsgroup.com/&sa=D&ust=1586965839430000> >>>>>> >>>>>> http://twitter.com/geosolutions_it >>>>>> <https://www.google.com/url?q=http://twitter.com/geosolutions_it&sa=D&ust=1586965839430000> >>>>>> >>>>>> ------------------------------------------------------- >>>>>> >>>>>> >>>>>> Con riferimento alla normativa sul trattamento dei dati personali >>>>>> (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati >>>>>> “GDPR”), >>>>>> si precisa che ogni circostanza inerente alla presente email (il suo >>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene >>>>>> notizia. >>>>>> >>>>>> This email is intended only for the person or entity to which it is >>>>>> addressed and may contain information that is privileged, confidential or >>>>>> otherwise protected from disclosure. We remind that - as provided by >>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>>> this >>>>>> e-mail or the information herein by anyone other than the intended >>>>>> recipient is prohibited. If you have received this email by mistake, >>>>>> please >>>>>> notify us immediately by telephone or e-mail. >>>>>> >>>>>> >>>>>> Il 28/05/2021 12:59, Simone Giannecchini ha scritto: >>>>>> >>>>>> Hi Vera, >>>>>> I have asked @Christian Picone (GMail) >>>>>> <christian.pic...@geo-solutions.it> (the guy who wrote that blog >>>>>> post) to check what's going on. >>>>>> Let's see what he finds out. >>>>>> >>>>>> Regards, >>>>>> Simone Giannecchini >>>>>> == >>>>>> GeoServer Professional Services from the experts! >>>>>> Visit http://bit.ly/gs-services for more information. >>>>>> == >>>>>> Ing. Simone Giannecchini >>>>>> @simogeo >>>>>> Founder/Director >>>>>> >>>>>> GeoSolutions >>>>>> Via di Montramito 3/A >>>>>> 55054 Massarosa (LU) >>>>>> Italy >>>>>> phone: +39 0584 962313 >>>>>> fax: +39 0584 1660272 >>>>>> mob: +39 333 8128928 >>>>>> >>>>>> https://www.geosolutionsgroup.com/ <http://www.geo-solutions.it> >>>>>> http://twitter.com/geosolutions_it >>>>>> >>>>>> ------------------------------------------------------- >>>>>> Con riferimento alla normativa sul trattamento dei dati personali >>>>>> (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati >>>>>> “GDPR”), >>>>>> si precisa che ogni circostanza inerente alla presente email (il suo >>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene >>>>>> notizia. >>>>>> >>>>>> This email is intended only for the person or entity to which it is >>>>>> addressed and may contain information that is privileged, confidential or >>>>>> otherwise protected from disclosure. We remind that - as provided by >>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>>> this >>>>>> e-mail or the information herein by anyone other than the intended >>>>>> recipient is prohibited. If you have received this email by mistake, >>>>>> please >>>>>> notify us immediately by telephone or e-mail. >>>>>> >>>>>> >>>>>> On Wed, May 26, 2021 at 2:21 AM Vera Green <vera.green...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> We have done that step yes. We double checked and we are still >>>>>>> getting the same issue when it is added as a trusted server. >>>>>>> Thanks, >>>>>>> Vera >>>>>>> >>>>>>> ---------- Forwarded message --------- >>>>>>> From: Nedim Oren <nedim.o...@gmail.com> >>>>>>> Date: Tue, May 25, 2021 at 5:20 PM >>>>>>> Subject: Re: [Geoserver-users] Help reading GeoServer WMS from AGOL >>>>>>> To: Vera Green <vera.green...@gmail.com> >>>>>>> Cc: GeoServer Mailing List List < >>>>>>> geoserver-users@lists.sourceforge.net> >>>>>>> >>>>>>> >>>>>>> Hi Vera, >>>>>>> >>>>>>> You may want to try adding your server as a trusted servers in >>>>>>> AGOLs security settings. Few years back, when I was experimenting with >>>>>>> the >>>>>>> same idea, adding our server as a trusted server in AGOL solved our >>>>>>> problem. Hope this will help. >>>>>>> >>>>>>> >>>>>>> https://doc.arcgis.com/en/arcgis-online/administer/configure-security.htm >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> N. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, May 25, 2021 at 7:04 PM Vera Green <vera.green...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> We are trying to read our GeoServer data from AGOL and are >>>>>>>> following this guide: >>>>>>>> https://www.geosolutionsgroup.com/news/gs-secured-with-agol/ >>>>>>>> >>>>>>>> Environment: >>>>>>>> GeoServer Version: 2.18.3Running as Tomcat web appProxied over >>>>>>>> apache2 and using openSSLon Ubuntu 20 >>>>>>>> >>>>>>>> We definitely have cores and https enabled. >>>>>>>> Our security is fairly basic, we are just trying to get this to >>>>>>>> work from our development server which is mostly the default security >>>>>>>> settings with the following change: >>>>>>>> >>>>>>> Data Secuurity set to >> *.*.r - ROLE_AUTHENTICATED >> catalogue Mode:Mixed >> >>> >>>>>>>> I consistently get a 401 error: >>>>>>>> >>>>>>>> VM659:1 GET https://www.arcgis.com/sharing/proxy?https:// >>>>>>>> subdomain.domain >>>>>>>> .com/geoserver/wms?SERVICE=WMS&REQUEST=GetCapabilities&VERSION=1.1.1 >>>>>>>> 401 >>>>>>>> >>>>>>>> When I add the credentials as optional parameters I get through >>>>>>>> and I can successfully read the get Capabilities document (from >>>>>>>> developer >>>>>>>> tools in the browser) >>>>>>>> >>>>>>>> >>>>>>>> I DO NOT get an error when accessing: >>>>>>>> https://subdomain.domain.com/geoserver/wms? >>>>>>>> >>>>>>>> However I do NOT get a list of layers either. >>>>>>>> >>>>>>>> Referring to the guide: >>>>>>>> This does NOT occur, but I am able to get around this with the >>>>>>>> Custom parameters: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> However I do not get a list of layers. This does NOT happen >>>>>>>> >>>>>>>> >>>>>>>> If anyone has experience with this any advice is much appreciated. >>>>>>>> >>>>>>>> Thanks in advance, >>>>>>>> Vera >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Geoserver-users mailing list >>>>>>>> >>>>>>>> Please make sure you read the following two resources before >>>>>>>> posting to this list: >>>>>>>> - Earning your support instead of buying it, but Ian Turton: >>>>>>>> http://www.ianturton.com/talks/foss4g.html#/ >>>>>>>> - The GeoServer user list posting guidelines: >>>>>>>> http://geoserver.org/comm/userlist-guidelines.html >>>>>>>> >>>>>>>> If you want to request a feature or an improvement, also see this: >>>>>>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>>>>>>> >>>>>>>> >>>>>>>> Geoserver-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Geoserver-users mailing list >>>>>>> >>>>>>> Please make sure you read the following two resources before posting >>>>>>> to this list: >>>>>>> - Earning your support instead of buying it, but Ian Turton: >>>>>>> http://www.ianturton.com/talks/foss4g.html#/ >>>>>>> - The GeoServer user list posting guidelines: >>>>>>> http://geoserver.org/comm/userlist-guidelines.html >>>>>>> >>>>>>> If you want to request a feature or an improvement, also see this: >>>>>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>>>>>> >>>>>>> >>>>>>> Geoserver-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>> >>>>>> >>>>>> >>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >>>>>> Mail >>>>>> priva di virus. www.avast.com >>>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >>>>>> <#m_3609281768464754391_m_-7342483848100809482_m_-2704132886211621739_m_2887776857095641341_m_-7892250421808606333_m_4556689682604386787_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> >>>>>> >>>>> _______________________________________________ >>>>> Geoserver-users mailing list >>>>> >>>>> Please make sure you read the following two resources before posting >>>>> to this list: >>>>> - Earning your support instead of buying it, but Ian Turton: >>>>> http://www.ianturton.com/talks/foss4g.html#/ >>>>> - The GeoServer user list posting guidelines: >>>>> http://geoserver.org/comm/userlist-guidelines.html >>>>> >>>>> If you want to request a feature or an improvement, also see this: >>>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>>>> >>>>> >>>>> Geoserver-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>> >>>>
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
