Azure AD (Active Directory) Authentication with FileMaker

In addition to the more typical external authentication methods, FileMaker supports client authentication using OAuth accounts from Google, Amazon, and Microsoft. In this instance, I needed to set up a FileMaker Cloud server to use a company’s directory accounts, which were hosted at Azure. In order to set this up I hit a couple of minor complications, which I’m going to cover here.

The first issue was largely one of nomenclature. Azure will want the “Sign-on URL”, but if we check the FileMaker configuration screen we only see a “redirect” URL. But this is indeed the one you’ll want. Note that since the sign-on URL is specific to that server, each server will need its own App Registration in Azure. In the screen shot below you’ll also see the placeholder text for the values we’ll need from Azure.

Since we obviously need some values from Azure at this point, let’s log in to the Azure portal, selecting Azure Active Directory, then App registrations, and click on the New application registration button at top.  Enter the name you want to give the registration, leave the Application type as Web app / API, and add in the sign-on URL we got from FileMaker.

With the basic app registration completed, we next create some API access keys. Save the secret key you are given, you’ll need that for the FileMaker configuration screen.

Before I go further, notice that the Azure will use terms like “Application ID”, but the FileMaker screen is using “Azure Client ID”, but otherwise the values should be fairly clear. Where to get the Tenant ID however wasn’t obvious, but I eventually found one way to get it was by going to App registrations, then Endpoints and extracting the tenant ID from that.

Here’s where I hit a bit of a hitch however. Authentication still wasn’t working. Turns out there is one more item needing attention, since the default app registration manifest is missing a setting we need. Edit your manifest and change the value for groupMembershipClaims from null to “All”, as seen in the text fragment below:

With that last change saved, users were then able to successfully log in.

Simon

 

References

Leave a Reply