Hello everyone,
We are trying to configure an authentication flow for a custom Single Page Application (a third-party dataroom called PULSE, managed by our provider Synapture) interacting with our M-Files Cloud vault.
The exact authentication flow required is:
-
The custom SPA initiates the login request via M-Files.
-
M-Files handles the federated authentication by delegating the login to Microsoft Entra ID.
-
After a successful authentication on Entra ID, the flow returns to M-Files, and M-Files must finally redirect the user and the tokens back to the SPA (on their development URLs:
https://host1:port1orhttps://host2:port2).
Our constraint:
We already have a production SSO configuration in place via Microsoft Entra ID for our daily M-Files users. We cannot touch or modify the global RedirectUri or PostLogoutRedirectUri parameters in our primary configuration, as it would break production access.
Support feedback:
M-Files Support advised us that the best approach is to create a second configuration under Federated Authentication > Configurations and differentiate them using the Scope setting (as per Chapter 5.3 of the documentation). This way, M-Files can route the authentication request to the correct configuration block based on the incoming scope.
However, support didn't have a concrete sample configuration for this specific proxy flow pointing back to a custom SPA.
Our question to the community:
-
Does anyone have a working Advanced Vault Settings JSON snippet or a clear example of how to declare this second configuration?
-
How should the client-side
RedirectURIbe mapped in M-Files so that M-Files knows it has to send the final response back to the SPA'shostaddresses? -
How do we configure the Scope routing on the M-Files side so it intercepts the SPA requests correctly without interfering with our default production users?
Any guidance, screenshots, or structural examples would be immensely helpful!
Thank you in advance for your time and help.
Best regards,
Alexandre
