FileMaker External Authentication
Wim Decorte presented on FileMaker External Authentication (EA, SSO, AD, OD, OAuth, LDAP) at Devcon 2017 last summer. Don't let the the acronyms bother you. It's actually pretty easy to set up Microsoft Azure, Amazon, or Google to handle external authentication for your FileMaker solution, and Decorte spends most of his session showing you how to do just that.
Why use EA to connect?
The benefits are pretty nice, actually. If you already have users set up outside of FileMaker, then those users can use their credentials to access a FileMaker database. That streamlines setup and administration when rolling out a new database, and offers a lot of other features available with EA services:
- Better password security
- Expiration times
- Complexity (symbols, caps, etc.)
- Geographical limitations
- Multi-factor authentication
- Time frame usage
Types of EA
Some types of EA have existed in FileMaker for years:
- Local – FileMaker's login system
- Active Directory – Windows
- Single Sign On (SSO) – Windows again
- Open Directory – Mac
- LDAP – not a logon service, but a method of making the server easier to find
Newer technologies are now available:
- IP – Identity Provider. A service that stores and manages identities
- IAM – Identity andAccess Management
- OAuth – An industry standard that uses tokens between systems to authenticate users
- FIM – Federated Identity Management. This is the same concept as EA.
Three New Services
Microsoft Azure, Amazon, and Goole each use OAuth2 to provide authentication, which means the operation system is left out of the process. FileMaker Server Admin is used to configure the connections to each provider, but that setup process is not very hard.
How It Works
The process of logging in is a bit change: The user will open a FileMaker database the same as always using their normal method (shortcut, Open Recent, etc.), but will have the option to choose Azure, Amazon or Google instead of typing in their username and password:
Clicking one of those options will take the user away from FileMaker – don't panic, they will be directed right back – to login using their credentials with that service. For example, they might have a google account with all that entails, so they would login to their account on their default browser. Of if they were already logged in, it will ask them to re-enter their password. By clicking they sign in button, the user will be directed back to the database.
If you are doing this for the first time, you might want to watch the first 12 minutes of the above video for an overview of External Authentication (EA). I highly recommend watching it.
Otherwise, jump ahead to the 13 minute mark to learn how to hook up to Microsoft Azure. This section also includes a bit more of an overview of the process plus the details needed to connect. Azure has one advantage over the other two: it handles users and groups, which gives the database administrator more options to control access. This is a big bonus, in that any MicroSoft user with credentials on the internal network can be added to a FileMaker group and be able to logon to the database. Amazon and Google only have user accounts, which you will have add users to FileMaker but will choose to let them authenticate with that service.
For Amazon setup, jump ahead to 39:21 to get started.
For Google, jump ahead to 46:28.
All three of these services also work with WebDirect, by the way. Jump to 53:00 minutes for more details.
To use Azure, Amazon, and Google, internet access is acquired, which means no internet, no access, and nobody using the solution.
Download the white paper for this presentation here. Trust me, you'll want this.
Want to use the FileMaker Data API? Todd Geist has you covered:
Arthur C. Clarke