External authentication can be used for Music Monitor logins via FileMaker's standard support. FileMaker supports major IdP services, custom IdP, and directory services.
Microsoft / Azure IdP services are the most commonly used external authentication for Music Monitor. This document includes points of clarification specifically for Azure.
General Information
When using external authentication for Music Monitor, users are added to a group in the IdP or directory service. (For directory services, the group of users must be called mmgroup1. For IdP services, the group name is not important.)
A user's right to log into Music Monitor is granted by their membership in the IdP or directory group. Their privileges when logged into Music Monitor are managed in Music Monitor's internal user management system (see Manage Login Accounts). (If the user has not been configured with a privilege set in Music Monitor, they will be denied access immediately after being authenticated.)
Because privileges are managed inside Music Monitor, only one group is needed in the IdP.
Directory or IdP Setup
If using a directory service, create a group called mmgroup1 in the directory and add any users that will need access to Music Monitor, including IT.
If using an IdP (including Microsoft / Azure), register an OAuth application for Music Monitor in the IdP. The best reference document for this process is the Claris help document Accessing solutions using Open Authentication (OAuth) credentials. Specifically, the "Register an OAuth application" section (including the linked Authenticating OAuth groups via Microsoft Azure page) covers setup inside the IdP.
For Azure, you will need a group added to the application which includes the users that need access to Music Monitor (you can use more than one group if necessary). The name of the group is not important. The group type must be allowed by the "groupMembershipClaims" setting on the application manifest.
FileMaker Server Setup
If the Music Monitor server is hosted in-house by your institution, configure the FileMaker Server Admin Console with your external authentication settings (the Music Monitor Team will be happy to assist if needed.
- In the FileMaker Server Admin Console, go to Administration > External Authentication.
- Enter your Predefined Identity Provider (IdP) Authentication Settings or Custom IdP Authentication Settings. The best reference document for Azure is the "Configure OAuth in FileMaker Server" section in the Claris help document Accessing solutions using Open Authentication (OAuth) credentials.
- For Database Sign In, set External Server Accounts to Enabled.
- Enable the OAuth identity provider you want to use for authenticating FileMaker clients.
Music Monitor Setup
The actions detailed in the "Configure OAuth accounts in databases" section of the Claris help document Accessing solutions using Open Authentication (OAuth) credentials can only be conducted by the Music Monitor Team. If using Azure, note down the group's Object ID and contact a member of the Music Monitor Team.
In Music Monitor, go to Settings (the gear icon) > Manage Login Accounts, then check the External checkbox under Settings. (For version 9.111 and earlier use Tools > System Admin > Manage Login Accounts, then check the External checkbox under Settings.)
Next, add users, setting the Account Name for all users must match the account name for your IdP or other external authentication service (for Azure this is usually an email address), and setting the privilege set for the specific user.
If local login accounts have previously been configured in Music Monitor, it is a good idea to delete and re-create the accounts, even if they use the same account name as required by the IdP or directory for external authentication. This will guarantee that no local passwords are retained for those accounts.