Using Active Directory Federation Services (AD FS) to Authenticate Your FileMaker Users

Security is in Soliant Consulting’s DNA, which is why our team has been pushing so hard on exploring and documenting various ways you can securely authenticate the users who need access to your FileMaker apps. This is especially crucial if they also need to use the same security identity across other non-FileMaker solutions. So instead of using native FileMaker accounts, what are your options?

We’ve described many of them in a recent blog post and provided a bit of a history of the features in the FileMaker platform over the last dozen versions.

The disparity between the regular version of FileMaker Server and the FileMaker Cloud version is intriguing and needs to be tracked; the authentication requirements that you or your clients may have can force the choice of one over the other.

The most recent 2.1 update to FileMaker Cloud provides the ability to use Active Directory Federation Services (AD FS) to use your on-premise Active Directory for managing your users and the groups to which they belong. We documented the setup here. At the time, it struck us that it was an authentication option only available with FileMaker Cloud, so we set out to do some more exploration. We learned that AD FS can, in fact, be used with the regular version of FileMaker Server as well since it supports the required OpenID Connect OAuth flow.

Steven Blackwell and I added a white paper to our OAuth series to explain why you or your clients may want to use it, and when you do, how to set it up. That white paper is available here.

The authentication landscape currently looks like below. Note that we’ve tested all the Identity Providers (IdP) listed here. The bottom row in the table is there as a reminder that any IdP supporting the proper OAuth flow can most likely be integrated with your FileMaker apps.

Identity Provider FileMaker Server FileMaker Cloud (2.x)
On-premise Active Directory Yes No
On-premise Open Directory Yes No
Local accounts & groups in the OS of the FileMaker Server machine Yes No
Active Directory Federation Service Yes Yes
Okta Yes
Ping Yes No
OneLogin Yes No
Auth0 Yes No
MiniOrange Yes No
Azure AD Yes Partial (works with WebDirect but not FileMaker Go)
Amazon Yes (individual accounts only) No
Google Yes (individual accounts only) No
FileMaker ID No Yes
Any IdP using the Open ID Connect OAuth Flow Yes No

As always, reach out to us here or on the Claris Community Forum with questions or suggestions.

2 thoughts on “Using Active Directory Federation Services (AD FS) to Authenticate Your FileMaker Users”

  1. Thanks Wim for sharing those valuable informations and for your time to test all those different Identity Providers. If I understand correctly, FileMaker Server requires that the IdP use the OpenID Connect Standard. Is SAML2 supported or it is limited to OpenID Connect?

    1. Thanks!
      The functionality is limited to OpenID Connect only. However you can certainly use any of the supported IdPs that support OIDC to be the identity broker to a provider that only supports SAML. Next week we will release a white paper that uses Red Hat’s Keycloak as the IdP, using Keycloak – since it is free – would be a good option in such a setup. We may do a white paper in the near future that demonstrates that.

Leave a Comment

Your email address will not be published.