Welcome to requests_arcgis_auth’s documentation!

A python requests API authentication handler for the Esri ArcGIS Server, Portal, and ArcGIS Online (AGOL) products

requests_arcgis_auth allows you to authenticate to Esri ArcGIS for Server, Portal for ArcGIS and ArcGIS Online (AGOL). The authentication handlers support the following deployment models:

  • Propritery ‘Token-Based’ Authentication
  • Web-Tier security using NTLM or Kerberos (Microsoft Integrated Windows Authentication)
  • SAML based ‘enterprise logins’ (OAuth2)*

*Only supports SAML services with Kerberos authentication (no forms based login)

Indices and tables

Documentation & Code Samples

ArcGISPortalSAMLAuth

class requests_arcgis_auth.ArcGISPortalSAMLAuth(client_id, capture_request_history=False, saml_auth=<requests_kerberos.kerberos_.HTTPKerberosAuth object>, expiration=120, verify=True)[source]

Auth Handler for the Esri Portal for ArcGIS product and ArcGIS Online (AGOL) configured with enterprise logins (SAML). This auth handler supports a SAML service that has Kerberos authentication enabled. A custom SAML auth handler can be provided with the ‘saml_auth’ parameter (example: for forms based login).

Parameters:
  • client_id (str) – A ‘client ID’ of a registered application in the portal.
  • capture_requests_history (bool, Optional) – Specifices if request history should be captured in the ‘history’ attribute (default: False).
  • saml_auth (<Requests_Auth_Handler>, Optional) – An authentication handler for the SAML identity provider. Defaults to the HTTPKerberosAuth handler. Allows a developer to write their own handler to tie into the SAML handler if the SAML service supports a different authentication scheme.
  • expiration (int, Optional) – Specifies the desired expiration of the portal authentication token. Defaults to 120 (minutes)
  • verify (bool, Optional) – Verify SSL Certificates (default: True). Use caution disabiling this (not reccomended for production use)
redirect_uri

str – The redirect URI of the registered application (defaults to ‘urn:ietf:wg:oauth:2.0:oob’). Leave this alone unless the redirect URI has been custom configured on the registered application

saml_headers (

obj:’dict`): A dictionary of headers for the SAML service.

The ArcGISPortalSAMLAuth authentication handler was developed to work with Portal and ArcGIS Online (AGOL) solutions (refereed to an ‘Esri portal’ from here on) that are federated to the Department of Interior (DOI) Security Assertion Markup Language (SAML) service. This is an implementation of the Esri “Enterprise Logins” feature of an Esri portal solution. The authentication to the DOI SAML service is setup to use requests-kerberos authentication with OPTIONAL Mutual Authentication. This handler could theoretically support other 3rd party SAML services, but has not been developed or tested for that purpose.

The authentication handler was developed as an Authorization Code Grant ‘User Login’ and will require a Client ID of an Esri portal registered application. Further information of this login workflow can be found at http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#/Authentication/02r30000009z000000/

Code Sample (Session Based):

>>> import requests
>>> from requests_arcgis_auth import ArcGISPortalSAMLAuth
>>> s = requests.session()
>>> s.auth = ArcGISPortalSAMLAuth(client_id)
>>> r = s.get("https://org.maps.arcgis.com/sharing/rest/portals/self?f=json")
>>> print ("logged in as {}".format(r.json().get('user').get('username')))
logged in as <USERNAME>

Note

The ArcGISPortalSAMLAuth handler requires the requests_kerberos, requests_ntlm and BeautifulSoup4 modules.

ArcGISServerAuth

class requests_arcgis_auth.ArcGISServerAuth(username=None, password=None, verify=True, instance=None)[source]

Esri ArcGIS for Server (Stand Alone) authentication handler for the python requests API. supports the vendor proprietary ‘Token Based’ authentication and web-tier security using Kerberos or NTLM.

Parameters:
  • username (str, Optional) – username of user authenticating. Only required for token authentication or NTLM
  • password (str, Optional) – password of user authenticating. Only required for token authentication or NTLM
  • verify (bool, Optional) – Verify SSL Certificates (default: True). Use caution disabiling this (not reccomended for production use)
  • instance (str, Optional) – The ‘instance’ name of the ArcGIS for Server Site (also known as the web-adaptor name). This will be derived if not supplied. ex: ‘arcgis’

Token OR Web-tier (Kerberos/NTLM) Authentication Example (“General Handler”)— The following will attempt to acquire a token and in the event of an HTTP Status Code 401 (un-authorized) it will inspect HTTP www-authenticate response headers for Kerberos and/or NTLM support. If the server supports Kerberos or NTLM the auth handler will attempt authentication with the appropriate security provider.

>>> from requests_arcgis_auth import ArcGISServerAuth
>>>auth = ArcGISServerAuth(username,password)

Kerberos Web-Tier Authentication Example— The users logged in identity can be leverated if the client, server, and underlying domain all support Kerberos single-sign-on. The advantage of this approach is that the user credentials do not need to be stored in memory. The example can be used if the underlying site is known to support Kerberos.

>>> from requests_arcgis_auth import ArcGISServerAuth
>>> auth = ArcGISServerAuth()

ArcGISPortalTokenAuth

class requests_arcgis_auth.ArcGISPortalTokenAuth(username, password, verify=True, instance=None)[source]

Python Requests Authentication Handler for the Esri Portal for ArcGIS product and ArcGIS Online. This class only supports the vendor proprietary ‘Token Based’ authentication.

Parameters:
  • username (str) – Username of user authenticating.
  • password (str) – Password of user authenticating.
  • verify (bool, Optional) – Verify SSL Certificates (default: True). Use caution disabiling this (not reccomended for production use)
  • instance (str, Optional) –
    • The ‘instance’ name of the ArcGIS for Server Site (also known as the web-adaptor name). Code will attempt to derive if not supplied. ex: ‘portal’

Kerberos Web-Tier Authentication Example — The users logged in identity can be leveraged if the client, server, and underlying domain all support Kerberos single-sign-on. The advantage of this approach is that the user credentials do not need to be stored in memory. The example can be used if the underlying site is known to support Kerberos.

>>> from requests_arcgis_auth import ArcGISPortalAuth
>>> auth = ArcGISPortalAuth()

Token OR Web-tier (Kerberos/NTLM) Authentication Example (“General Handler”)— The following will attempt to acquire a token and in the event of an HTTP Status Code 401 (un-authorized) it will inspect HTTP www-authenticate response headers for Kerberos and/or NTLM support. If the server supports Kerberos or NTLM the auth handler will attempt authentication with the appropriate security provider.

>>> from requests_arcgis_auth import ArcGISPortalAuth
>>> auth = ArcGISPortalAuth(username,password)

ArcGISServerTokenAuth

class requests_arcgis_auth.ArcGISServerTokenAuth(username, password, verify=True, instance=None)[source]

Python Requests Authentication Handler for the Esri ArcGIS Server product (Stand Alone). This class only supports the vendor proprietary ‘Token Based’TokenAuthenticationError authentication.

Parameters:
  • username (str) – Username of user authenticating.
  • password (str) – Password of user authenticating.
  • verify (bool, Optional) – Verify SSL Certificates (default: True). Use caution disabiling this (not reccomended for production use)
  • instance (str, Optional) –
    • The ‘instance’ name of the ArcGIS for Server Site (also known as the web-adaptor name). Code will attempt to derive if not supplied. ex: ‘arcgis’

Exceptions

exception requests_arcgis_auth.TokenAuthenticationError(*args, **kwargs)[source]

Site Does Not Support Token Authentication

exception requests_arcgis_auth.TokenAuthenticationWarning[source]

Site Does Not Support Token Authentication

References

Information about the Esri ArcGIS for Server Token authentication can be found at: http://server.arcgis.com/en/server/latest/administer/windows/about-arcgis-tokens.htm

Information about the Esri Portal for ArcGIS Token Authentication can be found at: http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#/Generate_Token/02r3000000m5000000/

Information on python requests can be found at: http://docs.python-requests.org/en/master/

OAuth2 via SAML authentication was developed based on https://www.prowestgis.com/there-and-back-again/

The authentication handlers were developed and tested using the standard python installation bundled with Esri ArcGIS for Desktop 10.3.1 (2.7.8) and the requests API.