Available Authentication Methods
The GENESIS system supports multiple authentication mechanisms, all with a common identity store. This means that, generally speaking, you can use the same credentials to authenticate with GENESIS regardless of the mechanism used to authenticate. The mechanisms supported vary depending on whether the device is connected to the GOA network or is connecting from the internet.
The supported authentication mechanisms for devices on the GOA network are:
- Windows Authentication
- ArcGIS Token Authentication (including anonymous public access)
- HTTP/Basic Authentication
Windows authentication uses NTLM to present the GOA domain (or trusted) identity of the device or user to the web service.
For Windows authentication, there are actually two URLs. The first is accessible from AEP’s Zone-1 network, or any network zone that can access AEP Zone-1, including GOA Zone-4. The second is accessible from any device connected to and able to authenticate with the GOA domain, even if that device cannot directly connect to the first. Other than the URL, the difference is purely in the network path taken. This second, internet-routed, endpoint is most useful for Zone-1 to Zone-1 access from other ministries. It comes with a slight network performance penalty that makes it less optimal if avoidable.
Direct AEP Zone-1 URL
The zone-1 windows authentication web-service endpoint URL will perform better than the internet-routed one, because it has fewer network hops and because windows authentication performs better when routed through fewer proxy servers. If this URL works for you, then it is the better choice.
The internet-routed windows authentication web-service endpoint URL will work in scenarios where the above URL will not. Most notably, if an application is hosted on a server in a Zone-1 network at another ministry, then that application will not be able to access the above URL. Given that scenario, this URL should work. Note that devices on the GOA Zone-4 network are not impacted and should be able to connect to the above URL without issue.
ArcGIS Token Authentication
The ArcGIS token web-service endpoint URL is internet accessible, and will work from anywhere. The authentication mechanism is documented in the REST API documentation, and is fully compatible with ESRI/ArcGIS software, applications built with the ArcGIS Web APIs or ArcGIS Platform SDKs, or compatible third-party products like Geocortex Essentials. It can be used in any custom software using JSON via REST web service calls including Python, .Net, Java, PHP, or whatever suits you.
This mechanism is best suited for web applications where users are making direct requests to secured services or where users impersonate an application/service/headless account used to access services as part of an application session. Note that it can also be used without logging in (anonymously) with access to public services only.
The HTTP/Basic authentication web-service endpoint URL is internet accessible, and will work from anywhere. As a broadly supported standards-based authentication mechanism, it provides a highly compatible way to connect to GENESIS web services. Connections using HTTP/Basic are often times impractical, however, due to the nature of having to provide the username and password on each request. Therefore, HTTP/Basic authentication is generally most useful for users looking to connect directly to services with their own credentials. It is generally less useful for application developers looking to integrate software components or present a seamless user experience in web applications.
The GENESIS architecture can support virtually any form of authentication if required. We are open to expanding our current lineup of authentication solutions to include SAML-based solutions such as Alberta MyDigitalID, client-certificate authentication, etc. If custom solutions are required, please contact us.