Authenticating your users through an Identity Provider (IdP) that supports the OAuth standard has become a crucial requirement in an increasing number of solutions.
In the past year, Steven Blackwell and I have authored a series of white papers to underline that importance and to provide walkthroughs detailing setting up IdPs such as Okta, Ping, Auth0, OneLogin, KeyCloak, Sign in with Apple, etc.1
Besides the obvious benefits of centralized user account management, you also get seamless Multi-factor authentication, account self-service for your users, and even completely passwordless logins.
These are all things that you can already do with FileMaker Server 17 and later, so nothing new in the FileMaker 19.1 platform release. Except for three things.
- FileMaker Server for Linux exposes AD FS as a configurable IdP in the Admin Console
- FileMaker Server for Linux allows an AD FS group for access to the Admin Console
- All 19.1 clients now show a cleaner provider selection in the login dialog.
Let’s start with that last one since that one has the widest application.
When you configure an OAuth Identity Provider, that provider is added to the Pro, Go, and WebDirect login dialogs for the user to click on and start the authentication process. For the standard three that you can set up in the Admin Console (Azure AD, Google, and Amazon), their proper name and icon are used. For any other provider that you configure through the dbs_config.xml file, in any client before 19.0, the additional OAuth provider’s name and icon always show up as Microsoft. As an example, let’s use a server where we have configured Google as an identity provider in the Admin Console and Red Hat’s KeyCloak configured in the dbs_config.xml file.
That configuration would result in a login dialog, as shown below, where the Google provider shows up as expected with its proper icon and name, but Keycloak shows up as Microsoft.
When your users have Pro or Go 19.1, then the result is a lot cleaner with a generic icon but the name of the provider exactly as you have it set up in the dbs_config.xml file:
Note that this is all driven by the client. Even if your FileMaker Server is 18 or 19.0, your users will get this improved behavior as long as your clients are using 19.1.
If your solution uses WebDirect, then there is no change; both FileMaker Server 19.0 and 19.1 already show the proper name on the login dialog (but no icon).
AD FS – Active Directory Federation Services
Claris’ messaging around Active Directory Federation Services in the 19.1 version is, unfortunately, a little misleading. As we have mentioned in our September 30th blog post about the release notes of FileMaker Pro 19.1, support for AD FS has been around for a while now. The FileMaker Go 19.1.2 information on the iOS app store adds to the confusion by also inferring that support for AD FS is something new.
But before we get into what really is new, you can catch up on what AD FS is in this blog post from April 2020 and this white paper that walks you through how to use it in your solutions. In short: AD FS is an extension to your regular Active Directory that makes it available as an OAuth Identity Provider so that you can configure your FileMaker Server to use it like any other OAuth IdP.
New – part I: AD FS configuration options in FileMaker Server for Linux
The downside to using custom OAuth providers is that it requires adjusting an XML config file without the benefit of having those settings exposed in the Admin Console. The new FileMaker Server for Linux, however, does add a configuration section to the Admin Console for AD FS.
Note that this does not mean that AD FS is only possible with FileMaker Server for Linux; you can use AD FS with any FileMaker Server, including the current FileMaker Cloud edition and any on-premise FileMaker Server since version 17. The only difference is that on anything but FileMaker Server for Linux, you need to add the configuration in the dbs_config.xml file directly, as described in our white papers.
New – part II: AD FS login to the Admin Console in FileMaker Server for Linux
This truly is new functionality, and this one is only available in the FileMaker Server for Linux version. You can grant access to the Admin Console to an Active Directory group of users by way of AD FS.
This is very relevant for those deployments where you cannot join or bind the server to the actual Active Directory domain. Because AD FS authenticates to AD through the OAuth flow, that membership is not required anymore. For now, though, remember that this is only possible when you run your FileMaker Server on Linux.
On all on-premise or self-hosted FileMaker Servers going back to FileMaker 7, you can achieve the same result provided that your FileMaker Server is a member server in an Active Directory or Open Directory.
Three configuration changes need to be made for this to work:
- Configure the AD FS OAuth settings by adding your client id, client secret, and the host name of your AD FS server:
- Under External Accounts for Admin Console Sign In, add the name of an AD group that you want to allow access to the Admin Console
- And finally, toggle the switch to allow Admin Console authentication to happen by your AD FS provider:
When you then select AD FS as the login option for your Admin Console, the authentication request is routed to the login page for your AD FS, and when the authentication is successful, the Admin Console is opened and the user has full admin access to the Console.
Recap of OAuth IdP options
With these new features, the authentication landscape can seem to be a little muddier than before. Here’s a summary of what can be done with what IdP as the available options may be one of the drivers for deciding which FileMaker Server deployment is the best for your authentication requirements.
|Options||macOS & Windows||Linux||FileMaker Cloud|
|On-premise directory service||Active Directory||✔||✖||✖|
|Local Accounts / Groups||✔||✖||✖|
|OAuth IdP||Azure AD||✔||✔||✔|
|Okta||✔ 2||✔ 2||✔|
|AD FS||✔ 2||✔||✔|
|Any Open ID Connect OAuth IdP
(Ping, Sign in With Apple, Auth0, OneLogin, MiniOrange, Keycloak…)
|✔ 2||✔ 2||✖|
|Authenticating Admin Console Access|
|On-premise directory service||Active Directory group||✔||✖||✖|
|Open Directory group||✔||✖||✖|
|OAuth IdP||Azure AD||✖||✖||✔|
|Any Open ID Connect OAuth IdP||✖||✖||✖|
1 All of these of course in addition to Azure AD, Google and Amazon, which have been available since FileMaker 16. For a historical overview of authentication options with the FileMaker platform: https://www.soliantconsulting.com/blog/onelogin-filemaker-authentication/
2 Settings not available in Admin Console