Client required to login each time a VertiGIS Studio Web browser session starts.
Nicht geplant
We have noted a UI/UX issue related to Portal secured items.
Users are required to pass credentials to access a site. This requests and Portal access token and the session starts.
However, unlike other allied applications like ArcGIS WebApps, VSW users are required to re-credential even if the session was only recently closed. Moreover if a new tab is opened in the browser before closing an existing session.
Even the shortest default tokens for Portal are 20-30 minutes in duration before refresh/renewal is required.
Please allow VertiGIS Studio applications to access domain tokens rather than user tokens.
regards
Andrew
PS. This is not a dissimilar use case https://community.esri.com/t5/arcgis-javascript-maps-sdk-questions/multiple-apps/m-p/1057028
-
VertiGIS Studio development has elected to take the "high road" when it comes to app authentication, choosing to follow the best security practices as we interpret them.
While this makes things less convenient from an end-user's point of view, this is driven by a combination of our convictions around security, and a desire to be SOC2 compliant
Esri caches the access token in local storage (and in our our opinion, browser memory is safer) and allows it to be referenced from there by other browser tabs sessions. This would be (mostly) acceptable if it was on a customer-unique domain (e.g. customer.apps.vertigisstudio.com), but we wouldn't do this on a shared domain used by many customers (e.g. apps.vertigisstudio.com). This access token cache in local storage creates a security hole that isn't acceptable to us.
On this note, VertiGIS might be able to do something specific on customer-specific domains in the SaaS environment (customer.apps.vertigisstudio.com) but we would never do it at apps.vertigisstudio.com. Product Management suggests using the Studio app-selector interface (see image) that is a safe, SSO way to move between VertiGIS Studio apps.
2 -
After reviewing this topic, we deduce that access tokens are deliberately not retained in the browser's memory as a security precaution. This necessitates users to re-login when opening new tabs. While we appreciate this decision from a security standpoint, we would like to emphasize that our desire for an enhanced SSO experience remains.
8 -
Our customers working on-prem are complainning about the Sign in prompt being thrown everytime a new VertiGIS app is being launched.
They are used to SSO with ESRI portal applications and GVH aswell without being prompted for an additional sign-in. You can imagine how good of a user experience this is for employees working in the field that starts their session with an Azure AD mfa and then gets prompted for a triple sign-in.It is much appreciated if you can create a hotfix or describe some kind of hack that let us remove this Sign-in button.
9 -
Also for my organization the additional login screen is undesired for on-premise usage of Studio Web.
The additional clicks lead to frustration for the end users.8 -
Any update on this?
3 -
Also looking for an update. We should be given the option to keep/use the extra security when SSO is enabled. Not everyone wants this experience for their end users. For our org, within the network - we want it turned off.
4 -
Hi all, we also have several customers complaining about this behaviour, especially because there is not only the login popup but also the pre-login popup which is completely useless from a UX standpoint in a secured application. Instead of showing immediately the login window, VSW is first showing a pre-login warning which only allows you to click on OK to proceed or cancel to quit the application again (which nobody is supposed to do).
The ideal UX is an SSO but if that is against the best practices security rules (which are violated by Esri Inc if I understand it well) then please try to avoid the first popup.9
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
7 Kommentare