How to handle authentication against /portal/sharing/rest in PowerAutomate webhook receiver?

PhilippeVDV · ‎05-27-2024

Hello

I've set up SAML authentication for ArcGIS Enterprise where users can join automatically with a default Viewer user type.

I'm trying now to set up an organization webook. The idea is that when a SAML user is added to a specific Portal group (through SAML based group membership), a webhook is triggered to promote the user type from Viewer to Creator (and role from Viewer to Editor)

In /portal/sharing/rest you can do a http POST request to update the UserType as follows: https://FQDN/portal/sharing/rest/portals/0123456789ABCDEF/updateUserLicenseType

I've configured the webhook in ArcGIS Enterprise succesfully, but I'm struggling now in PowerAutomate with the authentication against /portal/sharing/rest

I tried to authenticate by setting Authentication Type to Basic and providing the portaladmin credentials

Next, I execute the http POST request as follows:

But this doesn't seem to work

The webhook receiver is triggered succesfully when a user is added to the group, but it seems that the authentication goes wrong against /portal/sharing/rest, because I receive a 403 error: "You do not have permissions to access this resource or perform this operation"

So basically my question is, how do you authenticate agains /portal/sharing/rest so that you can execute all the available POST requests

I'm not a developer, but I hope that this should be possible in some way? All ideas or sample code are welcome (preferably in Power Automate)

Best regards

Phil

KevinHibma · ‎05-27-2024

I'm not real sure what thing in Power Automate your first screen shot is from, but I'll guess it's not what you want to use / it doesn't authenticate like you want.

Try making an HTTP Post call to generateToken: https://developers.arcgis.com/rest/users-groups-and-items/generate-token/

That should return a token, which you can then use on all your calls that require authentication. In my screen shot I get a token, parse it from the response, and make use of as a header on all my calls back to the Portal.

View solution in original post

KevinHibma · ‎05-27-2024

I'm not real sure what thing in Power Automate your first screen shot is from, but I'll guess it's not what you want to use / it doesn't authenticate like you want.

Try making an HTTP Post call to generateToken: https://developers.arcgis.com/rest/users-groups-and-items/generate-token/

That should return a token, which you can then use on all your calls that require authentication. In my screen shot I get a token, parse it from the response, and make use of as a header on all my calls back to the Portal.

PhilippeVDV · ‎05-29-2024

@KevinHibma , thanks a lot for your feedback! Following your instructions I was able to create the webhook that increases the User Type and Role when a user is added manually to a certain group. This works perfect now.

However, my webhook doesn't seem to work when a SAML user is added automatically to a Portal group that was created based on SAML based group membership.

I tested both with /groups/<groupID>/addUsers and the more general /groups/<groupID> but when a SAML user authenticates the first time and is added automatically to the group it doesn't seem to trigger anything. Any idea how to solve this?
Best regards

Phil

KevinHibma · ‎05-29-2024

@PhilippeVDV Interesting timing. I've been working on this exact question this week. Today, you're correct, no webhook is triggered when a SAML user has been added to the group by based on group membership. Internally, different "things" are happening with the add user / authentication checks and calls when going this route compared to adding a built-in user to a group. I'm investigating if we're able to support this scenario. For now, I do not believe there are any workarounds.

PhilippeVDV · ‎05-29-2024

Thanks again for your feedback @KevinHibma . I opened a support case in parallel, and apparently an enhancement request was logged very recently:

ENH-000166912 - Portal organization webhook: Add capability to trigger /addUser and /removeUser events for group members who joined based on (AD) SAML-based membership

And got also this information: "This is because those users are automatically enlisted as a member of the group because that was the prerequisite (that they can join because they're a member of a particular designated SAML Group). Sharing, unsharing, and deleting items from the group does trigger an event. A workaround for this, if they want to be alerted when such a user joins that group, would be to just have them share something immediately after joining."

I did not test the workaround yet

Best regards

Phil

KevinHibma · ‎05-29-2024

That's exactly the enhancement request I'm evaluating. I need to see if its technically possible before accepting/rejecting. I hope to have that question figured out soon. If we can do it, we'll try to address in an upcoming release.

DougYurek · ‎02-03-2025

Hey Kevin, any update on triggering a webhook when a user is added to a SAML group? I've been trying to implement this exact workflow (Assign licenses when a user is automatically added to a SAML group). Assigning licenses for an organization our size takes up a substantial amount of time.

My workaround (not optimal, but going to make it work):

Using FME Server to run on a schedule a couple times a day and, for example, query members of our Mobile Workers Group (portal SAML group) and compare that to current assigned licenses. Then I can assign/remove licenses depending on the results.

This might work for us, but it screams inefficiency.

KevinHibma · ‎02-03-2025

Thanks for the poke on this @DougYurek

Back when I initially responded we began looking at it, but this was near the end of a release and it was much more complicated than we anticipated, and had to defer it.

I have some time still in our current development cycle, so I'll get the team to take another look and see if we can make some progress on it.

PhilippeVDV · ‎04-22-2025

@KevinHibma , will it be implemented in the 11.5 release or not yet? Best regards, Phil

KevinHibma · ‎04-22-2025

Unfortunately, we won't be able to handle this particular scenario with a webhook event.

Internally, the user doesn't as much join the group, as they're simply allowed in based on the AD permissions. If we were able to support this, in theory we'd send a webhook event every time the user accessed the group (ie when the check is done).