## Connecting to Enterprise and ArcGIS Online (AGOL)

In this tutorial, we will explore the way we can login to your organization.  

### Setting up the Environment

This will import the modules and libraries we will use for this tutorial.

In [1]:
from arcgis.gis import GIS

### The `GIS` Class

The `GIS` object exists in the `gis` sub-package of the ArcGIS API for Python.  This object is the way you connect to your enterprise or ArcGIS Online.  You can connect to the sites as an anonymous user or by providing credentials.  

### Parts of the `GIS` Class

From the documentation of the `GIS` class 

    *"A GIS is representative of a single ArcGIS Online organization or an ArcGIS Enterprise deployment. The GIS object provides helper objects to manage (search, create, retrieve) GIS resources such as content, users, and groups."* 

The constructor of the `GIS` class takes multiple inputs but probably the most common are: `url, username, password, key_file, cert_file, client_id` and `profile`.  


|Parameter |Description|
|------|------|
|url | If URL is None, then the URL will be ArcGIS Online. |
|username|Login user name which is **case-sensitive**|
|password|The secret login string that allows your to access your content.  Never make this something simple like `password1`.  It is  **case-sensitive**|
|key_file|The file path to a user's key certificate for PKI authentication|
|cert_file|The file path to a user's certificate file for PKI authentication. If a PFX or P12 certificate is used, a password is required. If a PEM file is used, the key_file is required.|
|verify_cert|If a site has an invalid SSL certificate or is being accessed via the IP or hostname instead of the name on the certificate, set this value to False.  This will ensure that all SSL certificate issues are ignored. The default is True. **Warning** Setting the value to False can be a security risk.|
|client_id|Used for OAuth authentication.  This is the applications client ID value.|
|profile|The name of the profile that the user wishes to use to authenticate, if set, the identified profile will be used to login to the specified GIS.|

## Logging in with the `GIS` Class

#### Anonymous Users

These are users who do not provide any credentials.  The functionality of the `GIS` object is reduced because anonymous users do not have the same abilities as authenticated users.

**Anonymous Users Cannot**

1. Save/publish items
2. Persist web maps
3. Access private information within your organization

##### Connecting to Enterprise

Not all enterprise sites support anonymous access, but if your organization does support anonymous access, you can connect by doing the following:

In [2]:
gis_enterprise = GIS(url='https://pythonapi.playground.esri.com/portal')
gis_enterprise

##### Connecting to ArcGIS Online

ArcGIS Online support anonymous logins.  With the ArcGIS API for Python, you can access a large amount of information without ever creating an account.  

In [4]:
gis_agol = GIS()
gis_agol

##### Summary of Anonymous Users

ArcGIS Online and Enterprise allows anonymous users to access large amounts of data, webmaps and other information.  Though you cannot persist anything to organizations, anonymous accounts have lots of analysis, data and other access.



#### Built-In User Accounts

The `built-in` account is a named user account just like when you go to any website and create your `username/password` account.  A simple example of this is logging into `gmail`.  You provide a username plus a password, and you can access your email.  It is the same concept for `build-in` users.


##### Connecting to Built-In Users

We will expand upon the anonymous user way of logging in by providing a `username/password` plus the `url`.

##### Connecting to ArcGIS Online

In [5]:
gis = GIS(username='my_fake_account', password='my_fake_password')

The `API` on the back end will go out and try to authenticate the username and password to ArcGIS Online.  

##### Connecting to Enterprise

In [6]:
gis_enterprise = GIS(url='https://pythonapi.playground.esri.com/portal',
                     username='my_fake_account', password='my_fake_password')

You do not need to supply a `password`. If it is not supplied the `API` will prompt you for a `password`.

**these are a fake username and password**

#### `PKI` Authentication Based Accounts

```Public Key Infrastructure``` or **PKI**  is a security infrastructure that creates and manages digital certificates. It performs two basic tasks:

- Generates and distributes public key certificates to bind public keys to other information, after validating the accuracy of the binding.
- Maintains and distributes certificate status information.

The ability to issue and manage certificates in software security systems that use public key technologies is built into Windows Server operating systems. [source](https://www.fedidcard.gov/faq/what-pki-public-key-infrastructure-and-why-do-i-need-it)

```python
gis = GIS(url="https://pkienterprise.esri.com/portal",
          cert_file="C:\users\someuser\mycert.pfx", 
          password="password1")```

You do not need to supply a `password`. If it is not supplied the `API` will prompt you for a `password`.

#### Other Authentication Methods

`LDAP, Integrated Windows Authentication, NTLM,` and `Kerberos` are all supported using the **ArcGIS API for Python**.  When sites use `IWA, NTLM and Kerberos` the `API` will attempt to login for you when you are on the network.

- On the network means you are able to see the domain controller.

##### Accessing IWA/NTLM/Kerberos on the Domain

The ArcGIS API for Python will automatically detect the type of security the site is using when it connects to an organization.  For IWA/NTLM/Kerberos security it will attempt to automatically authenticate when prompted to do so.


```python
gis = GIS(url="https://myiwa.site.enterprise.somewhere.com/portal")
```

##### Accessing IWA/NTLM/Kerberos Outside of the Domain

Starting at the version `1.8.0`, you can provide a username/password to access a IWA, NTLM, and Kerberos login manually.  This is helpful for situations where you need to script using accounts other than your own for windows tasks or CRON jobs.

```python
gis = GIS(url="https://myiwa.site.enterprise.somewhere.com/portal",
          username='DOMAIN//USERNAME 
          password="MY_FAKE_PASSWORD")
```

#### What is `verify_cert`?

If a site has an expired or invalid SSL certificate, you can ignore the SSL certificates by setting `verify_cert` to `False`.  The default is `True`.  

##### When to use `verify_cert`?

Here are some common applications of using `verify_cert`:

- Setting up a new enterprise site
- Accessing a site with expired SSL certificate
- When updating SSL certificates

```python
gis_enterprise = GIS(url='https://pythonapi.playground.esri.com/portal',
                     username='my_fake_account', 
                     password='my_fake_password', 
                     verify_cert=False)
```

## Leveraging Your OS Credential Store

When we examined the various parts of the `GIS` class, `profile` was mentioned.  The `profile` allows users to store `username/passwords` in a secure manner. 

The profiles stored use the systems credential store on your operating system.  This is akin to saving your credentials in a browser. 

We 

**Note: On Linux and MacOS, additional setup for credential store could be required**


##### Storing `GIS` Credentials

```python
gis_enterprise = GIS(url='https://pythonapi.playground.esri.com/portal',
                     username='my_fake_account', 
                     password='my_fake_password', 
                     profile='my_first_profile')
```

**Persistent Profile Details**

The profile will store any of the following:

- url
- username
- key_file
- cert_file
- client_id

These are stored in the `.arcgisprofile` file under your user profile.

The **password** is pushed into the credential store and never stored as plain text. 