Back to Top

Configure security settings

In this topic

  1. Policies
  2. Sign-in policy
  3. Logins
  4. Create a custom sign-in category
  5. Multifactor authentication
  6. Access notice
  7. Information banner
  8. Trusted servers
  9. Allow origins
  10. Allow portal access
  11. Apps
  12. Developer credentials
Tip:

Visit ArcGIS Trust Center for more in-depth security, privacy, and compliance information.

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure enabled.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the side of the page.
  4. Configure any of the following security settings:
    • Policies
    • Sign-in policy
    • Logins
    • Custom sign-in
    • Multifactor authentication
    • Access notice
    • Information banner
    • Trusted servers
    • Allow origins
    • Allow portal access
    • Apps
    • Developer credentials

Policies

Sharing and searching

Change any of the following sharing and search settings as needed:

  • Members who are not administrators can make their content, groups, and profile public—Enable this option to allow members to make their profile or groups visible to everyone (public), share their web apps and other items with the public, and embed their content or groups in websites. If you disable this option, default administrators and members assigned the administrative privilege to share member content with the public can still make other members' content, groups, and profiles public.

  • Show social media links on item and group pages—Enable this option to include links to Facebook and X on item and group pages.

Sign-in policy

Configure a password policy and lockout settings as required for your organization.

Password policy

When members change their passwords, they must conform to the organization's policy. If they don't, a message appears with the policy details. The password policy of the organization does not apply to organization-specific logins, such as SAML logins, or app credentials that use app IDs and app secrets.

Lockout settings

Logins

You can also customize the order in which the login methods appear on the organization's sign-in page. To reorder a login method, click its handle Reorder and drag it to a new position. Click Preview to see what the sign-in page will look like.

Use the New OpenID Connect login button to configure OpenID Connect logins if you want members to sign in using your organization's existing OpenID Connect identity provider.

Create a custom sign-in category

You can customize your organizational sign-in experience by using custom sign-in categories. Once you create a custom sign-in category, OAuth 2.0 applications managed in your organization can inherit these categories or can have their own sign-in categories.

To create a custom sign-in category for your organization, complete the following steps:

  1. Confirm that you are signed in as a member with the default administrator role or as a member with a custom role with the administrative privilege to manage security settings.
  2. Click Security on the Settings tab of your organization page.
  3. Turn on the Allow customization of the sign-in experience for your organization and OAuth 2.0 applications toggle button. This option is disabled by default.
  4. Click Create a custom sign-in category.
    Note:

    You can configure a maximum of 100 custom sign-in categories.

    The Create sign-in category pane appears.

  5. Optionally, in the Choose how to start pane, you can choose a category other than the Organizational default option. Click the drop-down arrow under Select a sign-in category to start from and choose an option.
  6. Click Next.
  7. Provide a title and description in the Title and Description fields, respectively, for your category.

    The title you choose will appear as an option under Select account type when a user signs in to the organization.

  8. Click Next.
  9. Optionally, use the Login types pane to enable access to login categories and alter the Title of login categories once they are enabled.

    At least one login method must be enabled to create a category.

    Tip:

    Uncheck the box next to Enable sign-in category if you want to set up the category but are not ready for users to sign in with the category. You can enable the category by turning on the toggle button next to the category name in the Custom sign-in section of the Security section in your organizational settings.

  10. Click Create category.
    Note:

    Once you create and enable a custom sign-in category, the organizational default will not appear when users sign in to the organization.

    The category appears under the Custom sign-in section of the Security section in your organizational settings.

  11. Optionally, click Preview sign-in page to see what users will see when they sign in. To update the custom sign-in category, click Configure.

Multifactor authentication

Organizations that want to allow members to set up multifactor authentication for signing in to ArcGIS can turn on the Enable multifactor authentication for organization toggle button.

Tip:

Members who enable multifactor authentication have a check mark in the Multifactor Authentication column Multifactor authentication of the member table on the Members tab on the Organization page.

If you enable multifactor authentication for your organization, you must designate at least two administrators who will receive email requests to disable multifactor authentication as needed on member accounts. At least two administrators are required to ensure that at least one will be available to help members with any multifactor authentication issues.

Multifactor authentication must be disabled to access apps without OAuth 2.0 support. This includes geocoding and geoprocessing services that perform routing and elevation analysis. Multifactor authentication must also be disabled when storing credentials with Esri premium content.

Enforce multifactor authentication

When multifactor authentication is enforced, members with ArcGIS logins will be required to set up multifactor authentication for their accounts in order to sign in. Members will no longer be able to disable multifactor authentication for their own account, and they must contact their administrator to reset their multifactor authentication settings.

Disabling multifactor authentication enforcement allows members to disable multifactor authentication for their own account and does not disable multifactor authentication for members that have it set up. They will continue to be prompted to sign in using multifactor authentication.

Administrators can also exempt members using ArcGIS logins from being required to set up multifactor authentication in order to sign in. Members on the exemption list can enable and disable multifactor authentication for their own account through their settings page.

Note:

Enforcing multifactor authentication signs out any members with ArcGIS logins who have not yet enabled multifactor authentication, interrupting all ongoing work and processes. Reach out to your members in advance to give them enough time to set up multifactor authentication before enabling multifactor authentication enforcement. To avoid unwanted disruptions, you can temporarily add members to the multifactor authentication exemption list.

Follow these steps to enforce multifactor authentication:

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Under Security, click Enforce MFA.
    Tip:
    Optionally, you can click Manage exemption list to add any users that will retain the ability to enable or disable multifactor authentication. If multifactor authentication is not enforced, the exemption list will have no effect. Click Save when finished.

    A window appears.

  4. Click Enforce.

    An MFA enforcement is currently in effect label appears in the security settings under MFA Enforcement.

  5. To disable multifactor authentication, click Disable MFA enforcement. To manage the exemption list, click Manage exemption list.

Access notice

You can configure and display a notice of terms for users who access your site.

You can configure an access notice for organization members or all users who access your organization, or both. If you set an access notice for organization members, the notice is displayed after members sign in. If you set an access notice for all users, the notice is displayed when any user accesses your site. If you set both access notices, organization members see both notices.

To configure an access notice for organization members or all users, click Set access notice in the appropriate section, turn on the toggle button to display the access notice, and provide a notice title and text. Choose the Accept and Decline option if you want users to accept the access notice before proceeding to the site, or select OK only if you want users to only click OK to proceed. Click Save when finished.

Note:

HTML tags are not permitted in the access notice.

To edit the access notice for organization members or all users, click Edit access notice in the appropriate section and make changes to the title, text, or action button options. If you no longer want the access notice displayed, use the toggle button to disable the access notice. After disabling the access notice, the previously typed text and configuration will be retained if the access notice is re-enabled in the future. Click Save when finished.

Information banner

You can use information banners to alert all users who access your organization about your site's status and content.

To enable the information banner for your organization, click Set information banner and turn on Display information banner. Add text in the Banner text field and choose a background color and font color. A contrast ratio appears for the selected text and background color. Contrast ratio is a measure of legibility based on WCAG accessibility standards; a contrast ratio of 4.5 is recommended to adhere to these standards.

Note:

HTML tags are not permitted in the information banner.

You can preview the information banner in the Preview pane. Click Save to add the banner to your organization.

To edit the information banner, click Edit information banner and make changes to the banner text or styling. If you no longer want the information banner displayed, use the toggle button to disable the information banner. After disabling the information banner, the previously typed text and configuration will be retained if the information banner is re-enabled in future. Click Save when finished.

Trusted servers

For Trusted servers, configure the list of trusted servers you want your clients to send credentials to when making Cross-Origin Resource Sharing (CORS) requests to access services secured with web-tier authentication. This applies primarily to editing secure feature services from a stand-alone (unfederated) server running ArcGIS Server or viewing secure Open Geospatial Consortium (OGC) services. ArcGIS Server hosting services secured with token-based security do not need to be added to this list. Servers added to the trusted servers list must support CORS. Layers hosted on servers without CORS support may not function as expected. ArcGIS Server supports CORS by default at versions 10.1 and later. To configure CORS on non-ArcGIS servers, refer to the vendor documentation for the web server.

The host names must be provided individually. Wildcards cannot be used and are not accepted. The host name can be provided with or without the protocol in front of it. For example, the host name secure.esri.com can be provided as secure.esri.com or https://secure.esri.com.

Note:

Allow origins

By default, ArcGIS REST API is open to CORS requests from web applications on any domain. If your organization wants to limit the web application domains that are allowed to access ArcGIS REST API through CORS, you must specify these domains explicitly. For example, to restrict CORS access to web applications on acme.com only, click Add, type https://acme.com in the text box, and click Add domain. You can specify up to 100 trusted domains for your organization. It's not necessary to specify arcgis.com as a trusted domain, as applications running on the arcgis.com domain are always allowed to connect to ArcGIS REST API.

Allow portal access

Configure a list of portals (for example https://otherportal.domain.com/arcgis) with which you want to share secure content. This allows members of your ArcGIS Online organization to use their organization-specific logins (including SAML logins) to access the secure content when viewing it from these portals. This is only applicable for portals at ArcGIS Enterprise version 10.5 and later.

The portal URLs must be provided individually and must include the protocol. Wildcards cannot be used and are not accepted. If the portal being added allows both HTTP and HTTPS access, two URLs must be added for that portal (for example http://otherportal.domain.com/arcgis and https://otherportal.domain.com/arcgis). Any portal added to the list is validated first and, therefore, must be accessible from the browser.

Apps

You can specify which external apps can be accessed by organization members and, optionally, make approved web apps available to organization members in the app launcher. You can also specify a list of Esri apps that should be blocked from members to comply with regulations, standards, and best practices.

Approve apps

To give organization members access to other types of apps without a Request for Permissions prompt, you must specify a list of approved apps for the organization. Approved apps can include web, mobile, or native apps hosted in your organization or outside your organization. For access to external apps, you can also restrict member sign-in to only those apps added to the approved apps list.

Note:

Licensed apps automatically appear in the app launcher for members with appropriate licenses. For more information, see Manage apps in the app launcher.

Do the following to approve apps for access by organization members:

  1. Confirm that you are signed in as a default administrator or as a member of a custom role with the administrative privilege to manage security and infrastructure.
  2. At the top of the site, click Organization and click the Settings tab.
  3. Click Security on the side of the page and click Apps to move to the Apps section of the page.
  4. Under Approved apps, click Add approved app.
  5. Search for an app using one of the following methods:
    • Search by name—When searching by app name, you can only find apps that are hosted in your organization.
  6. Select an app to approve.
  7. Optionally, if you selected a web app, turn off the Show in app launcher toggle button to hide the web app in the app launcher.

    To show the web app in the app launcher, leave this toggle button turned on and follow the steps in Manage apps in the app launcher.

  8. Click Save to add the app to the approved apps list.

Blocked Esri apps

Blocked apps and capabilities are removed from the app launcher and their items cannot be created from the content page or from a web map. App items that are created before an app is blocked remain visible in the organization, but members cannot sign in to them. If a blocked app is shared with your organization, members cannot sign in and use the app.

Developer credentials

You can find a developer credential item by clicking Find API key, token, or client ID and entering a value. You can also click View API keys by expiration date to sort by a specific time period, such as a week or month.

Feedback on this topic?

In this topic
  1. Policies
  2. Sign-in policy
  3. Logins
  4. Create a custom sign-in category
  5. Multifactor authentication
  6. Access notice
  7. Information banner
  8. Trusted servers
  9. Allow origins
  10. Allow portal access
  11. Apps
  12. Developer credentials