BlogFileMaker

The FileMaker 19.1 Platform: What’s new in the OAuth Authentication realm?

By October 28, 2020 No Comments

Authenticating your users through an Identity Provider (IdP) that supports the OAuth standard has become a crucial requirement in an increasing number of solutions.

In the past year, Steven Blackwell and I have authored a series of white papers to underline that importance and to provide walkthroughs detailing setting up IdPs such as Okta, Ping, Auth0, OneLogin, KeyCloak, Sign in with Apple, etc.1

Besides the obvious benefits of centralized user account management, you also get seamless Multi-factor authentication, account self-service for your users, and even completely passwordless logins.

These are all things that you can already do with FileMaker Server 17 and later, so nothing new in the FileMaker 19.1 platform release. Except for three things.

  1. FileMaker Server for Linux exposes AD FS as a configurable IdP in the Admin Console
  2. FileMaker Server for Linux allows an AD FS group for access to the Admin Console
  3. All 19.1 clients now show a cleaner provider selection in the login dialog.

Let’s start with that last one since that one has the widest application.

Login Dialog

When you configure an OAuth Identity Provider, that provider is added to the Pro, Go, and WebDirect login dialogs for the user to click on and start the authentication process. For the standard three that you can set up in the Admin Console (Azure AD, Google, and Amazon), their proper name and icon are used. For any other provider that you configure through the dbs_config.xml file, in any client before 19.0, the additional OAuth provider’s name and icon always show up as Microsoft. As an example, let’s use a server where we have configured Google as an identity provider in the Admin Console and Red Hat’s KeyCloak configured in the dbs_config.xml file.

Photo of the dbs_config.xml file with Keyclock highlighted

That configuration would result in a login dialog, as shown below, where the Google provider shows up as expected with its proper icon and name, but Keycloak shows up as Microsoft.

Photo of the login for FileMaker Pro 17 through 19.0

FileMaker Pro 17 through 19.0

Photo of login on FileMaker Go 17 through 19.0

FileMaker Go 17 through 19.0

When your users have Pro or Go 19.1, then the result is a lot cleaner with a generic icon but the name of the provider exactly as you have it set up in the dbs_config.xml file:

Photo of login with FileMaker Pro 19.1

FileMaker Pro 19.1

Photo of login in FileMaker Go 19.1

FileMaker Go 19.1

Note that this is all driven by the client. Even if your FileMaker Server is 18 or 19.0, your users will get this improved behavior as long as your clients are using 19.1.

If your solution uses WebDirect, then there is no change; both FileMaker Server 19.0 and 19.1 already show the proper name on the login dialog (but no icon).

Photo of login for solution using WebDirectThis improved UI is a seemingly small thing, but we believe it is a great step forward in making the adoption of custom OAuth providers easier.

AD FS – Active Directory Federation Services

Claris’ messaging around Active Directory Federation Services in the 19.1 version is, unfortunately, a little misleading. As we have mentioned in our September 30th blog post about the release notes of FileMaker Pro 19.1, support for AD FS has been around for a while now. The FileMaker Go 19.1.2 information on the iOS app store adds to the confusion by also inferring that support for AD FS is something new.

Photo of FileMaker Go 19.1.2 in the iOS App StoreIt is not.

But before we get into what really is new, you can catch up on what AD FS is in this blog post from April 2020 and this white paper that walks you through how to use it in your solutions.  In short: AD FS is an extension to your regular Active Directory that makes it available as an OAuth Identity Provider so that you can configure your FileMaker Server to use it like any other OAuth IdP.

New – part I: AD FS configuration options in FileMaker Server for Linux

The downside to using custom OAuth providers is that it requires adjusting an XML config file without the benefit of having those settings exposed in the Admin Console.  The new FileMaker Server for Linux, however, does add a configuration section to the Admin Console for AD FS.

Photo of admin console showing the addition of a configuration for AD FSNote that this does not mean that AD FS is only possible with FileMaker Server for Linux; you can use AD FS with any FileMaker Server, including the current FileMaker Cloud edition and any on-premise FileMaker Server since version 17. The only difference is that on anything but FileMaker Server for Linux, you need to add the configuration in the dbs_config.xml file directly, as described in our white papers.

New – part II: AD FS login to the Admin Console in FileMaker Server for Linux

This truly is new functionality, and this one is only available in the FileMaker Server for Linux version. You can grant access to the Admin Console to an Active Directory group of users by way of AD FS.

This is very relevant for those deployments where you cannot join or bind the server to the actual Active Directory domain.  Because AD FS authenticates to AD through the OAuth flow, that membership is not required anymore.  For now, though, remember that this is only possible when you run your FileMaker Server on Linux.

On all on-premise or self-hosted FileMaker Servers going back to FileMaker 7, you can achieve the same result provided that your FileMaker Server is a member server in an Active Directory or Open Directory.

Photo of login that shows option to allow users to sign in using AD FS

Three configuration changes need to be made for this to work:

  1. Configure the AD FS OAuth settings by adding your client id, client secret, and the host name of your AD FS server:

Photo of admin console and adding AD FS OAuth settings

  1. Under External Accounts for Admin Console Sign In, add the name of an AD group that you want to allow access to the Admin Console

Photo of the admin console on the Administration tab - addig name for AD group

  1. And finally, toggle the switch to allow Admin Console authentication to happen by your AD FS provider:

Photo of admin consol with the toggle switch for AD FS highlighted

When you then select AD FS as the login option for your Admin Console, the authentication request is routed to the login page for your AD FS, and when the authentication is successful, the Admin Console is opened and the user has full admin access to the Console.

Photo of login when "Sign in with AD FS" option is clicked, the user is routed to the login page for AD FS

Recap of OAuth IdP options

With these new features, the authentication landscape can seem to be a little muddier than before. Here’s a summary of what can be done with what IdP as the available options may be one of the drivers for deciding which FileMaker Server deployment is the best for your authentication requirements.

FileMaker Server
on-premise
Options macOS & Windows Linux FileMaker Cloud
Authenticating Users
On-premise directory service Active Directory
Open Directory
Local Accounts / Groups
OAuth IdP Azure AD
Amazon
Google
Okta 2 2
AD FS 2
Any Open ID Connect OAuth IdP
(Ping, Sign in With Apple, Auth0, OneLogin, MiniOrange, Keycloak…)
2 2
Claris ID
Authenticating Admin Console Access
On-premise directory service Active Directory group
Open Directory group
Local group
OAuth IdP Azure AD
Okta
AD FS
Claris ID
Any Open ID Connect OAuth IdP

1 All of these of course in addition to Azure AD, Google and Amazon, which have been available since FileMaker 16. For a historical overview of authentication options with the FileMaker platform: https://www.soliantconsulting.com/blog/onelogin-filemaker-authentication/

2 Settings not available in Admin Console

Wim Decorte

Wim Decorte

Wim is a Senior Technical Solution Architect at Soliant. He is a FileMaker 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 and 18 Certified FileMaker Developer and the author of numerous Tech Briefs and articles on FileMaker Server. Wim is one of the very few multiple FileMaker Excellence Award winners and was most recently awarded the FileMaker Community Leader of the Year award at the 2015 FileMaker Developer Conference. He is also a frequent speaker at the FileMaker Developer Conference and at FileMaker Developer groups throughout the world. In addition to being a renowned expert on FileMaker Server, Wim also specializes in integrating FileMaker with other applications and systems. His pet project is the open source fmDotNet connector class that he created.

Leave a Reply

Need to adjust your business processes quickly? We're helping clients use technology to keep their teams productive and running smoothly in these times of uncertainty. Our team can guide yours if you need help in these areas.

Talk to a Consultant