BlogFileMaker

Using Active Directory Federation Services (AD FS) to Authenticate Your FileMaker Users

By April 8, 2020 April 15th, 2020 2 Comments

Security is in Soliant Consulting’s DNA, which is why our team has been pushing so hard on exploring and documenting various ways you can securely authenticate the users who need access to your FileMaker apps. This is especially crucial if they also need to use the same security identity across other non-FileMaker solutions. So instead of using native FileMaker accounts, what are your options?

We’ve described many of them in a recent blog post and provided a bit of a history of the features in the FileMaker platform over the last dozen versions.

The disparity between the regular version of FileMaker Server and the FileMaker Cloud version is intriguing and needs to be tracked; the authentication requirements that you or your clients may have can force the choice of one over the other.

The most recent 2.1 update to FileMaker Cloud provides the ability to use Active Directory Federation Services (AD FS) to use your on-premise Active Directory for managing your users and the groups to which they belong. We documented the setup here. At the time, it struck us that it was an authentication option only available with FileMaker Cloud, so we set out to do some more exploration. We learned that AD FS can, in fact, be used with the regular version of FileMaker Server as well since it supports the required OpenID Connect OAuth flow.

Steven Blackwell and I added a white paper to our OAuth series to explain why you or your clients may want to use it, and when you do, how to set it up. That white paper is available here.

The authentication landscape currently looks like below. Note that we’ve tested all the Identity Providers (IdP) listed here. The bottom row in the table is there as a reminder that any IdP supporting the proper OAuth flow can most likely be integrated with your FileMaker apps.

Identity Provider FileMaker Server FileMaker Cloud (2.x)
On-premise Active Directory Yes No
On-premise Open Directory Yes No
Local accounts & groups in the OS of the FileMaker Server machine Yes No
Active Directory Federation Service Yes Yes
Okta Yes Yes
Ping Yes No
OneLogin Yes No
Auth0 Yes No
MiniOrange Yes No
Azure AD Yes Partial (works with WebDirect but not FileMaker Pro/Go)
Amazon Yes (individual accounts only) No
Google Yes (individual accounts only) No
FileMaker ID No Yes
Any IdP using the OpenID Connect OAuth Flow Yes No

As always, reach out to us here or on the Claris Community Forum with questions or suggestions.

Wim Decorte

Wim Decorte

Wim is a Senior Technical Solution Architect at Soliant. He is a FileMaker 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 and 18 Certified FileMaker Developer and the author of numerous Tech Briefs and articles on FileMaker Server. Wim is one of the very few multiple FileMaker Excellence Award winners and was most recently awarded the FileMaker Community Leader of the Year award at the 2015 FileMaker Developer Conference. He is also a frequent speaker at the FileMaker Developer Conference and at FileMaker Developer groups throughout the world. In addition to being a renowned expert on FileMaker Server, Wim also specializes in integrating FileMaker with other applications and systems. His pet project is the open source fmDotNet connector class that he created.

2 Comments

  • Thanks Wim for sharing those valuable informations and for your time to test all those different Identity Providers. If I understand correctly, FileMaker Server requires that the IdP use the OpenID Connect Standard. Is SAML2 supported or it is limited to OpenID Connect?

    • Wim Decorte Wim Decorte says:

      Thanks!
      The functionality is limited to OpenID Connect only. However you can certainly use any of the supported IdPs that support OIDC to be the identity broker to a provider that only supports SAML. Next week we will release a white paper that uses Red Hat’s Keycloak as the IdP, using Keycloak – since it is free – would be a good option in such a setup. We may do a white paper in the near future that demonstrates that.

Leave a Reply

Need to adjust your business processes quickly? We're helping clients use technology to keep their teams productive and running smoothly in these times of uncertainty. Our team can guide yours if you need help in these areas.

Talk to a Consultant