Preparing the Server and WebMap

IIS Manager

In IIS Manager, enable Anonymous Authentication for the WebMap app pool. Disable all other forms of authentication.

Edit web.config

  • Open the web.config file in a suitable code editor.

  • Edit the IdentityConfig Tag: set RequireUniqueEmail to false.

  • Also add this additional parameter to the end of the <identityConfig> tag.

    • Copy 
    LookUpRoleById="true"

  • Add the following after the IdentityConfig tag, making sure to edit the values in brackets “[]” to the correct values (delete the brackets, keep the quotation marks):

    Copy 
    <openIdConnectConfig Authority="https://login.microsoftonline.com/[tenant id]" 
    ClientId="[application id]" 
    ClientSecret="" 
    RoleClaimType="groups" 
    NameClaimType="name" 
    RedirectUri="[url to WM]" 
    Scope="opeinId, roles" 
    ResponseType="id_token" />

    • ClientId - Sets the client_id parameter on the authentication request

    ClientSecret - Sets the client_secret parameter on the authentication request (probably not used in Identity Server by default so can be left blank)

    RoleClaimType - Sets the claim type in the returned authentication token that WebMap will use to determine role claims.

    NameClaimType - Sets the claim type in the returned authentication token that WebMap will use to determine the user name.

    RedirectUri – location of the instance of WebMap (i.e. the same as previously added to the appsettings.json file in the server)

  • In <appSettings> tag, add the following:

    • Copy 
    <add key="owin:appStartup" value="OpenIdConnect" />

  • Add the following to the <location> tag section (carefully edit/replace the existing map.aspx and wmadm.aspx tags, so they match the configuration below):

    • Copy 
    <location path="AuthenticatedTileCacheHandler.axd">
        <system.web>
            <httpRuntime executionTimeout="1800" />
            <authorization>
                <allow users="?"/>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="map.aspx">
        <system.web>
        <authorization>
            <deny users="?"/>
            <allow users="*"/>
        </authorization>
        </system.web>
    </location>
    <location path="wmadm.aspx">
        <system.web>
            <httpRuntime executionTimeout="1800" />
            <authorization>
                <deny users= "?" />
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

WebMap settings

WebMap should now be authenticating using the Azure Active Directory. Security on individual maps can now be set in the Admin interface (see here), using the imported users and groups.

Remember that User permissions will overwrite Group permissions. This may affect individual users accessing the Maps.