6 Replies Latest reply on May 18, 2017 2:14 PM by LSNOVER

    FMS16 oAuth Azure...problem with groups?

    LSNOVER

      OK, I've successfully setup my app. to use the new oAuth feature for security with Microsoft Azure.

       

      I have one hitch at the moment.

       

      If I create a Azure Group, and assign my test users to the Group, when I try to login, Filemaker says I don't have privileges to open the specific database.  If I add the SPECIFIC users to the Filemaker security window, I can login and use my application just fine.

       

      Any ideas as to why my "groups" would not work?  Is there additional settings required beyond creating the Group and adding the users to the Group?

       

      Thanks,

      Lee

        • 1. Re: FMS16 oAuth Azure...problem with groups?
          wimdecorte

          Yes, you have to make a change to your Azure app manifest to enable group authentication.

           

          2017-05-17_16-22-48.png

          • 2. Re: FMS16 oAuth Azure...problem with groups?
            LSNOVER

            Hi Wim:

             

            I tried making this change, and tried both "SecurityGroup" and "All" for the values, but still can not authenticate my group.

             

            Is it necessary to restart Filemaker Server or clear any caches, etc. for this to take effect?

             

            Thanks for your help on this.

             

            Regards,

            Lee

            • 3. Re: FMS16 oAuth Azure...problem with groups?
              wimdecorte

              No, don't thinks so.  But try it anyway.

              • 4. Re: FMS16 oAuth Azure...problem with groups?
                LSNOVER

                I've tried a number of things.

                 

                I tried setting up a "guest" account and a normal account under my Azure domain. 

                 

                In both cases, the accounts do not work, even if I add them specifically to the user lists.  I'm getting an error on the Microsoft login page.

                 

                "ADSTS90093: This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."

                 

                In addition, I'm finding the "auto" login very frustrating.  The only way I can force a fresh login in Chrome is to clear the cache.   In Firefox I haven't figured out how to over-ride the defaults.

                 

                So at the moment, the only login I have working is my own Adminstrator level login, only when I specifically add my user name in Filemaker.  My Azure account is a couple years old, so I'm wondering if my account is stuck in some kind of legacy mode.  I'm checking with Microsoft on this.  I may just setup a new account, though not my preference.

                • 5. Re: FMS16 oAuth Azure...problem with groups?
                  LSNOVER

                  OK, I've gotten past this issue. 

                   

                  Once you setup Application permissions and save them, you have to EXPLICITLY  GRANT those permissions to the application for the AD Users.   That at least allowed me to login successfully as a "Guest" user, but ONLY by specifically including that user in the list of Filemaker Accounts.   Still no success trying to use a group.

                  • 6. Re: FMS16 oAuth Azure...problem with groups?
                    LSNOVER

                    OK, two extra "hitches" that I had to work through.

                     

                    1. After you set and save the Application Permissions in Azure, you click "Save", but that does not actually apply the settings to the application.  You must go under the Application Security panel and click "Grant Permissions".

                     

                    2. When using Groups in Azure, you DO NOT USE THE GROUP NAME.  The Name is for Display purposes only.  You MUST use the GROUPs ID#.   This is kind of spelled out in the Filemaker Security Dialog when assigning the Group, but I was looking past it.

                     

                    3. Make the edit to the Manifest as Wim directs above to use Groups!

                     

                    Once you have the permissions granted in Azure AD, Adjust the Manifest, AND use the GROUP ID, bingo!

                     

                    Hope this helps someone else.  If this was covered elsewhere, excuse my glossing over those details.

                     

                    Cheers!

                    Lee