As a SharePoint site collection administrator, you are responsible for configuring ArcGIS Maps for SharePoint. To begin, you generate an encryption key that ensures that the ArcGIS credentials used to configure the map are stored securely; if you chose to use SSS during installation, this is done automatically; otherwise, you must manually generate a key. You then specify the URL for your ArcGIS Online organizational account or ArcGIS Enterprise instance. Finally, you specify the ArcGIS named user account used to validate the map and charge credits consumed by the ArcGIS Maps for SharePoint workflows (Locate and Connect). You can also optionally set options for the Esri User Experience Improvement program here.
The ArcGIS named user account specified during configuration is used to generate an app item in ArcGIS Online or ArcGIS Enterprise. This app item is used for the following purposes:
- Generate an app token used by the ArcGIS Maps Locate workflow and ArcGIS Location field
- Generate an app token to allow guest users to view the map web part
- The app item's ID is used for OAuth 2.0 authentication for named users
When the ArcGIS credentials are set, users can view the map as guests, without needing to sign in to ArcGIS. Guest users have limited access to the map; in addition to viewing publicly shared SharePoint content and publicly shared ArcGIS content that has been added to the map, guest users can pan and zoom the map, turn layers on and off, and view pop-ups, but most functionality is restricted to viewing only. In addition, the ArcGIS Maps Locate workflow is limited to using only public geocoders and publicly shared feature layers. To fully interact with the map, users must sign in to ArcGIS using a named user account.
After you complete the app configuration, users can sign in as the named user in the ArcGIS Maps web part, using their own user credentials. Any credits consumed by the app (for example, driving routes, infographics, etc.) are charged to the user's account.
Important: ArcGIS Maps for SharePoint supports different authentication methods; these procedures describe how to configure the app with the default OAuth 2.0 authentication. For other authentication methods, see Configure enterprise logins.
Access ArcGIS Maps for SharePoint app configuration
You must be a SharePoint site collection administrator to access the ArcGIS Maps for SharePoint administration menu and configure the app.
- Browse to the Site Settings page of the site.
- Under the ArcGIS Maps for SharePoint Administration heading, click Configuration Settings.
If you receive an "Access denied" message when you open the App Configuration page, you do not have site collection administrator privileges. Only site collection administrators can perform the app configuration.
Generate an encryption key
Before you can configure ArcGIS Maps for SharePoint, you must generate an encryption key. This key ensures that the ArcGIS credentials used to configure the app are stored securely.
By default, ArcGIS Maps for SharePoint uses the Secure Store Service (SSS) to secure ArcGIS credentials. An encryption key is generated within a target application and stored in SSS, and all site collections will use this encryption key to secure ArcGIS credentials. If you don't want to use SSS, you can choose to manually generate an encryption key after installation. Using SSS is the recommended setting for enhanced security.
During installation, a target application is automatically created with the ID "arcgismapsforsharepoint". SharePoint farm administrators can manually create other target applications for this too if desired.
Create an SSS target application (optional)
During installation, if you choose to use Secure Store Service to secure ArcGIS credentials, ArcGIS Maps for SharePoint automatically creates a target application in the Secure Store Service, with the ID "arcgismapsforsharepoint". All site collections are configured by default to use this target application.
In some cases, the SharePoint farm administrator may want to manually create a different target application. Some reasons for creating a manual target application include:
- The site collection administrator wants to use a dedicated target application for increased security.
- The ArcGIS Maps for SharePoint installer failed to properly create the default target application.
To manually create an SSS target application, do the following:
- On the Central Administration home page, in the Application Management section, click Manage service applications.
- Click the Secure store service application.
- Click New to create a new target application.
- Type a string in the Target Application ID field.
This value will be required during ArcGIS Maps for SharePoint configuration.
- Provide a valid contact email address and set the Target Application Type to Group.
- Click Next.
- Remove the default username and password fields and click Add field. Type a field name and set the field type to Key. Check the Masked check box and click Next to continue.
- Set the web application pool account to be both administrator and member.
The application pool runs the web application that owns the SharePoint web application in which ArcGIS Maps for SharePoint site collection is activated.
Be sure to add the web application pool identity user to the member group, not the SharePoint site collection administrator; otherwise, you may receive an Access Denied error.
- Click OK to finish creating the target application.
- After the target application is created, select it and click Set in the Central Administration application's ribbon to set the encryption key for ArcGIS Maps for SharePoint.
- In the Set credentials window, type a value in ekey field, then type it again to confirm.
You do not need to memorize this key.
- Click OK to finish.
Use Secure Store Service
If you chose Use SSS during installation, the ArcGIS Maps App Configuration page shows the target application ID that was automatically created during installation (arcgismapsforsharepoint). The encryption key is saved in this target application and there is no need to manually create one. All related site collections will use this key to secure the ArcGIS credentials used to access content hosted on ArcGIS Onlineor ArcGIS Enterprise.
- By default, ArcGIS Maps for SharePoint automatically creates a target application in the Secure Store Service, with the ID "arcgismapsforsharepoint". If your SharePoint farm administrator has manually generated a different target application ID, type it in the Target application field and click Test connection.
A green check mark beside the field indicates that the connection is working.
If the target application is not found, a red X and error message appear. Ask your SharePoint farm administrator to verify the target application ID and try again.
- When the connection is valid, click Set to start using the encryption key stored in the target application.
In case of a security breach, the SharePoint farm administrator can use the Central Administration application to reset the encryption key stored in the target application. This will invalidate all existing ArcGIS credentials that were secured by the target application and all site administrators will need to reconfigure ArcGIS credentials for their own site collections.
Manually generate an encryption key
If you chose Do not use SSS during installation, you'll need to manually generate an encryption key for this site collection. This encryption key is stored within the site collection and is not as secure as using SSS. You should use this option only if SSS is not available.
- In the Encryption key section of the configuration page, click the Generate your own encryption key radio button.
- Type a passphrase in the Passphrase field.
The passphrase must contain at least 6 characters, of which at least one must be a numerical digit, and one uppercase character (for example, passWord1).
Important: Both the passphrase used to generate the encryption key and the username and password for the ArcGIS account are case-sensitive.
- Retype the passphrase to confirm.
- Click Create key.
A message appears, stating that the encryption key was successfully generated.
- To generate a new key, click Refresh key.
- Type the passphrase you entered previously and click Refresh.
The encrypted credentials are re-encrypted using the new key and the old key is discarded.
- To generate a new key with a different passphrase, click New key and follow the steps outlined at the beginning of this workflow.
After you generate an encryption key, you can securely set the remaining app configuration settings.
Set the ArcGIS connection URL
- In the ArcGIS or Portal URL field, type the URL for your ArcGIS Online organization or ArcGIS Enterprise instance.
- If you are connecting directly to ArcGIS Online (meaning your instance has no subdomain), leave the default setting of http://www.arcgis.com.
To configure ArcGIS Maps for SharePoint to work with SSL-secured sites, change the ArcGISConnection URL from HTTP to HTTPS.
If you are working in disconnected environment, such as when your internal network is behind a firewall, set this value to point to your ArcGIS Enterprise instance. For example: https://<portalname>\<instance>.
- Click Test connection.
A green check mark beside the field indicates that the connection is valid.
If the URL is not found, a red X and error message appear. Verify the URL and try again.
- When the connection is valid, click Set to confirm the URL.
Set the ArcGIS credentials
ArcGIS Maps for SharePoint uses a single ArcGIS named user account to create an app item in ArcGIS Online or ArcGIS Enterprise. This app item is used to generate an app token used to run the ArcGIS Maps Locate workflow and charge credits consumed by the ArcGIS Maps for SharePoint workflows (Locate and Connect), and by the ArcGIS Location field. It also uses this account to enable limited use for guest access.
The app item is protected in ArcGIS Online or ArcGIS Enterprise.
- In the ArcGIS credentials section, click Set.
- Under the App Configuration heading, click Set Credentials.
- Type the username and password for the ArcGIS named user account.
Both the username and password are case-sensitive.
- Click OK.
The App Configuration pane shows the user account currently specified.
- To change the ArcGIS credentials to use a different account click Delete.
The ArcGIS sign in window opens.
- Sign in using the credentials used when the account was initially set and click Sign in.
The saved ArcGIS are purged and the app item is removed from the ArcGIS Maps configuration.
- Click Set to specify a new ArcGIS named user account.
- To enable guest access by default, check the Start session with guest signed in by default check box.
If this option is unchecked, users will see a message on the map offering a choice of signing in to ArcGIS or continuing as a guest. If this option is checked, users automatically access the map as guests. Guests can click Sign in above the map title bar at any time to sign in with their named user account.
Guest users have limited access to the ArcGIS Maps Web Part. In addition to viewing SharePointcontent and publicly shared ArcGIS content that has been added to the map, guest users can pan and zoom the map, turn layers on and off, and view pop-ups, but most functionality is restricted to viewing only. To fully interact with the map, users must sign in to ArcGIS using a named user account
All map authoring tasks and activities that consume ArcGIS credits, such as adding maps to SharePoint pages, adding ArcGIS layers to those maps, geoenabling SharePoint lists, adding geoenabled layers to maps and layers, changing styling options, and so on, require a named user account.
Set Esri User Experience Improvement options
Optionally participate in the Esri User Experience Improvement (EUEI) program. Check this box to provide anonymous information about your system and how you use ArcGIS Maps for SharePoint. Clear the box to opt out of the program. For more information, see Esri User Experience Improvement.
Troubleshoot App configuration
If you're using Internet Explorer and the Sign In window appears but is blank, try the following:
- On the Internet Explorer Internet Options dialog box, click the Security tab and choose Trusted Sites.
- Check Enable Protected Mode.
- Click the Sites button and add https://*.arcgis.com or your ArcGIS Enterprise portal address.
- Restart Internet Explorer.
- If you have a ArcGIS Enterprise configured with SAML, you'll need to sign into App Configuration using a built-in user, change the credentials, and sign in using the SAML username and password.
- Use Firefox or Chrome when setting the App Configuration credentials on SharePoint 2010 for IWA, PKI, or LDAP portals. When using Firefox, first navigate to the portal itself and make sure to add the exception to trust the portal.
- If you receive the following message: "Unable
to obtain master key," follow the steps below to generate a key
within the SharePoint Secure Store service:
- On the Central Administration home page, in the Application Management section, click Manage service applications.
- Click the Secure Store Service link.
- Click Generate New Key.