Mastering External Authentication in FileMaker: EA, SSO, AD, OD, OAuth, and LDAP Unveiled

Wim Decorte, FileMaker DevCon 2017

Table of Contents

• Introduction
• Understanding Authentication vs. Authorization
  • Authentication
  • Authorization
• What is External Authentication (EA)?
  • How EA Works in FileMaker
  • Benefits of Using EA
  • Challenges and Considerations
• Single Sign-On (SSO) Explained
  • How SSO Works
  • Benefits of SSO
  • Implementing SSO with FileMaker
• Directory Services Overview
  • Active Directory (AD)
    • Components of AD
    • Integration with FileMaker
  • Open Directory (OD)
    • Components of OD
    • Integration with FileMaker
• Lightweight Directory Access Protocol (LDAP)
  • Understanding LDAP
  • How LDAP Works
  • LDAP and FileMaker
• OAuth Authentication Providers
  • What is OAuth 2.0?
  • Supported OAuth Providers in FileMaker
    • Microsoft Azure Active Directory
    • Google Accounts
    • Amazon Accounts
• Setting Up External Authentication in FileMaker
  • Prerequisites
    • Technical Requirements
    • Security Considerations
  • Configuring FileMaker Server
    • Enabling EA on FileMaker Server
    • Configuring SSL Certificates
    • Firewall and Network Settings
  • Creating EA Accounts in FileMaker Pro
    • Understanding Account Types
    • Setting Up External Accounts
    • Assigning Privilege Sets
• Configuring OAuth Providers
  • Microsoft Azure Active Directory
    • Setting Up an Application in Azure
      • Step-by-Step Guide
      • Common Pitfalls and Solutions
    • Configuring FileMaker Server for Azure AD
      • Detailed Instructions
      • Testing the Configuration
  • Google OAuth
    • Creating a Google API Project
      • Step-by-Step Guide
      • Setting Up the OAuth Consent Screen
    • Configuring FileMaker Server for Google OAuth
      • Detailed Instructions
      • Testing the Configuration
  • Amazon Cognito
    • Setting Up a User Pool in Cognito
      • Step-by-Step Guide
      • Important Settings and Configurations
    • Configuring FileMaker Server for Amazon OAuth
      • Detailed Instructions
      • Testing the Configuration
• External Authentication in FileMaker Go and WebDirect
  • EA in FileMaker Go
  • EA in FileMaker WebDirect
  • Considerations and Limitations
• Troubleshooting External Authentication
  • Common Issues and Solutions
    • SSL Certificate Issues
    • Incorrect Client ID/Secret
    • Redirect URI Mismatch
    • User Not Found
    • Browser Cache Issues
    • Firewall and Network Connectivity
  • Testing EA Configurations
    • Using Test Accounts
    • Analyzing Logs for Troubleshooting
    • Network Connectivity Checks
• Security Considerations
  • Multi-Factor Authentication (MFA)
  • Password Policies and Complexity
  • Session Management and Browser Caching
  • Group Management Best Practices
  • Regular Audits and Compliance
• Conclusion
• References
  • Official Documentation
  • Additional Resources

Introduction

In today’s interconnected digital landscape, managing user authentication efficiently and securely is paramount. The FileMaker Platform, widely used for creating custom apps, recognizes this need and has evolved to support various external authentication mechanisms. Starting from FileMaker version 7, External Authentication (EA) options like Active Directory (AD) and Open Directory (OD) were introduced. With the advent of FileMaker 16, the platform expanded its capabilities to include OAuth 2.0 authentication through providers such as Google, Amazon, and Microsoft Azure Active Directory.

This comprehensive guide delves deep into the external authentication options available in FileMaker, including EA, Single Sign-On (SSO), AD, OD, OAuth, and LDAP. We’ll explore their functionalities, benefits, setup procedures, and how they integrate with the FileMaker Platform. Whether you’re a developer, system administrator, or an IT professional, this detailed resource aims to equip you with the knowledge to implement and manage external authentication effectively in your FileMaker solutions.

Understanding Authentication vs. Authorization

Before diving into the specifics of external authentication options, it’s crucial to understand the fundamental concepts of authentication and authorization. These two terms, often used interchangeably, represent distinct processes in the realm of security.

Authentication

Authentication is the process of verifying the identity of a user or system. It ensures that the entity attempting to gain access is who they claim to be. In practical terms, authentication involves validating credentials such as usernames, passwords, security tokens, or biometric data.

In the context of FileMaker:

• Accounts: In FileMaker, authentication is managed through user accounts. Each account represents a user identity, which can be authenticated internally within the FileMaker file or externally through external authentication providers.
• Login Process: When a user attempts to access a FileMaker solution, they are prompted to provide credentials that the system verifies against stored or external records.

Authorization

Authorization occurs after authentication and determines what an authenticated user is allowed to do within the system. It sets permissions and access levels, ensuring users can only access data and perform actions that they’re permitted to.

In the context of FileMaker:

• Privilege Sets: Authorization is managed through privilege sets, which define the level of access a user has within the FileMaker solution. This includes which layouts they can view, records they can edit, scripts they can run, and more.
• Role-Based Access Control: By assigning privilege sets to user accounts, FileMaker implements role-based access control (RBAC), allowing for granular control over user permissions.

What is External Authentication (EA)?

External Authentication (EA) allows FileMaker Server to delegate the authentication process to an external identity provider rather than relying solely on accounts stored within the FileMaker file. This means users can log in using credentials managed by systems outside of FileMaker, such as Active Directory, Open Directory, or OAuth providers like Google and Microsoft Azure.

How EA Works in FileMaker

1. User Attempts to Access FileMaker Solution: The user opens the FileMaker application and tries to access a database hosted on FileMaker Server.
2. Authentication Request is Redirected: Instead of authenticating against internal accounts stored within the FileMaker file, the authentication request is redirected to the external identity provider.
3. Identity Provider Validates Credentials: The external system verifies the user’s credentials (e.g., username and password).
4. Response Sent Back to FileMaker Server: The identity provider confirms whether the authentication was successful.
5. Access Granted or Denied: If authentication succeeds, FileMaker Server grants access based on the associated privilege set. If it fails, access is denied.

Benefits of Using EA

• Centralized User Management: Manage user accounts, passwords, and policies in one central location, reducing administrative overhead.
• Improved Security:
  • Password Policies: Enforce complex password requirements, expiration policies, and account lockout thresholds.
  • Multi-Factor Authentication (MFA): Leverage MFA methods supported by external providers for enhanced security.
  • Audit Trails: External systems often provide detailed logging and monitoring capabilities.
• Scalability: Easily add or remove users from access groups without modifying the FileMaker file directly.
• Consistency Across Applications: Users have a consistent login experience across different applications within the organization.
• Compliance: Meet organizational and regulatory requirements by adhering to standardized authentication protocols and policies.

Challenges and Considerations

• Complexity of Setup: Configuring EA involves multiple systems and may require coordination with IT departments managing the external identity providers.
• Dependency on External Systems: Availability and performance of authentication rely on external systems being operational.
• Network Requirements: Proper network configuration, including firewalls and SSL certificates, is necessary for secure communication.
• Limited Control Over External Accounts: Changes in the external system (e.g., user account deletions) can impact access to the FileMaker solution.

Single Sign-On (SSO) Explained

Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications or systems with a single set of login credentials. SSO simplifies the user experience by reducing the number of times users need to authenticate and minimizes password fatigue.

How SSO Works

1. User Authenticates Once: The user logs in to an identity provider or an SSO portal using their credentials.
2. Authentication Token Issued: Upon successful authentication, the identity provider issues an authentication token (e.g., a session cookie or security token).
3. Access to Multiple Applications: When the user attempts to access another application integrated with the SSO system, the application recognizes the authentication token and grants access without requiring a new login.
4. Token Validation: The application may validate the token with the identity provider to ensure it is still valid and has not expired.

Benefits of SSO

• Improved User Experience: Users log in once and gain access to multiple applications, reducing the need to remember multiple passwords.
• Increased Productivity: Less time spent on login processes allows users to focus on their tasks.
• Enhanced Security:
  • Reduced Password Fatigue: Fewer passwords reduce the likelihood of users writing them down or using weak passwords.
  • Centralized Authentication Policies: Apply consistent security policies across all applications.
• Simplified Administration: Easier management of user access across multiple systems.

Implementing SSO with FileMaker

• Active Directory Integration: FileMaker can utilize Windows Active Directory for SSO within a Windows domain environment. When users are logged into their Windows accounts, they can access FileMaker solutions without re-entering credentials.
• Kerberos Authentication: FileMaker Server can leverage Kerberos, a network authentication protocol, to support SSO in certain configurations.
• Limitations: SSO functionality may be limited to specific platforms or configurations. For example, true SSO is primarily achievable with Active Directory in a Windows environment.

Directory Services Overview

Directory Services are centralized databases that store, organize, and provide access to information about users, computers, and other resources within a network. They enable administrators to manage network resources efficiently and enforce security policies.

Active Directory (AD)

What is AD?

Active Directory is a directory service developed by Microsoft for Windows domain networks. It authenticates and authorizes users and computers, assigning and enforcing security policies and installing or updating software.

Components of AD

• Domain Controllers: Servers that host the Active Directory database and provide authentication services.
• Domains: Logical groupings of objects (users, computers, printers) that share the same AD database.
• Organizational Units (OUs): Containers within domains used to organize objects hierarchically.
• Groups:
  • Security Groups: Used to assign permissions to shared resources.
  • Distribution Groups: Used for email distribution lists.
• Group Policy Objects (GPOs): Used to manage settings for users and computers within the domain.

Integration with FileMaker

• Authentication: FileMaker Server can authenticate users against AD, allowing domain users to access FileMaker solutions using their Windows credentials.
• Group-Based Access: Utilize AD groups to manage access permissions within FileMaker by mapping AD groups to privilege sets.
• Single Sign-On (SSO): Achievable in Windows environments, allowing users to access FileMaker solutions without re-entering credentials.

Open Directory (OD)

What is OD?

Open Directory is Apple’s directory and network authentication services architecture. It provides a central location to store user and group account information, and manage user authentication and access privileges on macOS networks.

Components of OD

• Directory Domains: Similar to AD domains, they are used to organize and manage network resources.
• LDAPv3 and Kerberos: Protocols used for authentication and directory access.
• NetInfo Domains: Legacy directory service used in older macOS versions.
• Managed Preferences: Settings applied to users and computers within the OD.

Integration with FileMaker

• Authentication: FileMaker Server can authenticate users against OD, allowing macOS network users to access solutions using their OD credentials.
• Group-Based Access: Similar to AD, OD groups can be mapped to privilege sets within FileMaker.
• Limitations: SSO capabilities with OD are more limited compared to AD.

Lightweight Directory Access Protocol (LDAP)

Understanding LDAP

Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral protocol used for accessing and maintaining distributed directory information services over an IP network. LDAP is used to query and modify items in directory services like Active Directory and Open Directory.

How LDAP Works

• Directory Structure: LDAP directories are structured hierarchically, resembling a tree with branches representing organizational units, domains, and entries.
• Entries and Attributes: Each entry represents an object (e.g., a user) and contains attributes (e.g., name, email).
• Operations:
  • Bind: Authenticate and specify LDAP protocol version.
  • Search: Query the directory for entries matching certain criteria.
  • Compare: Check if an entry contains a specified attribute value.
  • Modify: Update attributes of an entry.
  • Add/Delete: Add or remove entries.
• Security: LDAP supports anonymous access and authenticated access, with options for encryption using SSL/TLS.

LDAP and FileMaker

• Role in Authentication: While LDAP is used for accessing directory information, FileMaker Server does not directly use LDAP for authentication.
• Indirect Use: FileMaker Server interacts with directory services like AD and OD, which themselves use LDAP. Therefore, LDAP plays an indirect role in the authentication process.
• Configuration: There’s no need to configure LDAP settings within FileMaker Server for authentication purposes.

OAuth Authentication Providers

What is OAuth 2.0?

OAuth 2.0 is an industry-standard protocol for authorization that enables applications to obtain limited access to user accounts on an HTTP service. It allows users to grant access to their resources without sharing their credentials.

• Roles in OAuth 2.0:
  • Resource Owner: The user who owns the protected resources.
  • Client: The application requesting access to the resources.
  • Resource Server: Hosts the protected resources.
  • Authorization Server: Authenticates the resource owner and issues access tokens.

Supported OAuth Providers in FileMaker

FileMaker supports OAuth 2.0 authentication through the following providers:

Microsoft Azure Active Directory

• Azure AD: Microsoft’s cloud-based identity and access management service.
• Features:
  • Supports individual and group-based authentication.
  • Allows integration with on-premises AD.
  • Provides advanced security features like MFA.

Google Accounts

• Google OAuth: Allows users to authenticate using their Google account credentials.
• Features:
  • Wide user base with personal and G Suite accounts.
  • Simplified authentication process.
  • No group-based authentication; individual accounts must be specified.

Amazon Accounts

• Amazon OAuth (Login with Amazon): Enables users to sign in using their Amazon credentials.
• Features:
  • Access to millions of Amazon users.
  • Straightforward setup.
  • No group-based authentication; individual accounts must be specified.

Setting Up External Authentication in FileMaker

Implementing EA involves configuring FileMaker Server to communicate with external identity providers and setting up accounts in your FileMaker solutions to recognize external users or groups.

Prerequisites

Technical Requirements

• FileMaker Server: Must be installed and properly configured. Ensure you are using a version that supports the desired EA options (e.g., FileMaker Server 16 or later for OAuth providers).
• SSL Certificate:
  • Requirement: A valid SSL certificate installed on FileMaker Server is required for secure communication with OAuth providers.
  • Type: Must be issued by a trusted Certificate Authority (CA). Self-signed certificates are not acceptable.
  • Domain Name: The certificate must match the fully qualified domain name (FQDN) of your FileMaker Server.
• Internet Connectivity: For OAuth providers, FileMaker Server must be accessible over the internet, as the authentication process involves redirection to and from external websites.

Security Considerations

• Firewall Settings:
  • Ensure that port 443 (HTTPS) is open and properly routed to your FileMaker Server.
  • Configure network security groups or firewalls to allow necessary inbound and outbound traffic.
• Administrative Access:
  • Access to FileMaker Server Admin Console with sufficient privileges to make configuration changes.
  • Access to the administration portals of the external identity providers (e.g., Azure Portal, Google Cloud Console, AWS Console).
• Compliance:
  • Be aware of any organizational policies or regulatory requirements that may impact the use of external authentication services.

Configuring FileMaker Server

Enabling EA on FileMaker Server

1. Access the Admin Console:
   • Open a web browser and navigate to the FileMaker Server Admin Console, typically at:bashCopy codehttps://your_fm_server_address:16001/admin-console
   • Log in with your admin credentials.
2. Navigate to Security Settings:
   • In the Admin Console, go to Configuration > Database Server > Security.
3. Enable External Authentication:
   • Under Client Authentication, select FileMaker and external server accounts.
     • Note: This setting allows both internal FileMaker accounts and external accounts to authenticate.
4. Enable OAuth Providers:
   • Scroll down to the OAuth section.
   • Check the boxes for the OAuth providers you wish to enable:
     • Google
     • Amazon
     • Microsoft Azure AD
5. Configure OAuth Providers:
   • For each enabled provider, you’ll need to provide specific information:
     • Client ID
     • Client Secret
     • Additional Information (e.g., Tenant ID for Azure AD)
6. Configure Redirect URIs:
   • The redirect URI is the address that the OAuth provider will use to redirect the user back to your FileMaker Server after authentication.
   • The standard format is:bashCopy codehttps://your_fm_server_address/fmi/auth/oauth2/callback
   • Ensure this URI is registered with the OAuth provider.
7. Save Changes:
   • After entering the necessary information, click Save or Apply to confirm the settings.
8. Restart FileMaker Server:
   • To apply the changes, restart the FileMaker Server service.
     • Warning: Restarting the server will disconnect all connected clients. Schedule this action during maintenance windows.

Configuring SSL Certificates

1. Obtain a Valid SSL Certificate:
   • Purchase an SSL certificate from a trusted Certificate Authority (CA) that matches your server’s FQDN.
2. Install the SSL Certificate on FileMaker Server:
   • Use the FileMaker Server Admin Console or command-line tools to import and install the certificate.
3. Verify SSL Configuration:
   • Ensure that when accessing the Admin Console or hosted solutions via HTTPS, the browser shows a secure connection without warnings.
4. Test Accessibility:
   • From an external network, verify that your FileMaker Server is reachable via HTTPS using the FQDN.

Firewall and Network Settings

1. Open Necessary Ports:
   • Port 443 (HTTPS): Must be open for secure web traffic.
   • Port 5003 (FileMaker Data): For FileMaker clients to connect (may not be necessary for OAuth setup but required for client connections).
2. Configure Network Security Groups:
   • In cloud environments (e.g., AWS, Azure), ensure that security groups allow inbound traffic on required ports.
3. Check Router and NAT Settings:
   • If behind a NAT device or firewall, configure port forwarding to route external traffic to your FileMaker Server.
4. DNS Configuration:
   • Ensure that your server’s FQDN resolves to the correct public IP address.

Creating EA Accounts in FileMaker Pro

Understanding Account Types

• Internal Accounts: Accounts stored within the FileMaker file, managed directly in the Manage Security dialog.
• External Accounts: Accounts authenticated through an external provider, specified in the FileMaker file but validated externally.

Setting Up External Accounts

1. Open File in FileMaker Pro:
   • Open the database file you wish to secure.
2. Access Manage Security:
   • Navigate to File > Manage > Security.
   • You must have full access privileges to modify security settings.
3. Add New Account:
   • In the Accounts tab, click the New button to create a new account.
4. Select Authentication Type:
   • In the Edit Account dialog, choose the appropriate authentication method:
     • External Server: For AD or OD groups.
     • Amazon: For Amazon OAuth.
     • Google: For Google OAuth.
     • Microsoft Azure AD: For Azure OAuth.
5. Enter Account Details:
   • For AD/OD:
     • Account Type: External Server.
     • Group Name: Enter the group name exactly as it appears in the directory service.
       • Case Sensitivity: Group names may be case-sensitive depending on the platform.
   • For OAuth Providers:
     • Account Type: Select the specific OAuth provider.
     • User Identifier:
       • Google/Amazon: Enter the user’s email address associated with their account.
       • Azure AD:
         • User: Enter the user’s UPN (User Principal Name) or email address.
         • Group: Azure supports group-based authentication; however, you may need to use the Object ID of the group.
6. Assign Privilege Set:
   • Choose an appropriate privilege set that defines what the user or group can do within the database.
     • Custom Privilege Sets: Create custom privilege sets for specific roles or access levels as needed.
7. Add Description (Optional):
   • For clarity, especially when using object IDs or GUIDs, add a description to identify the account or group.
8. Save Changes:
   • Click OK to confirm the account settings.
   • Click OK again to exit the Manage Security dialog.

Assigning Privilege Sets

• Default Privilege Sets:
  • Full Access: Complete access to all areas of the database (use cautiously).
  • Data Entry Only: Allows data entry but restricts design changes.
  • Read-Only Access: Users can view data but cannot modify it.
• Custom Privilege Sets:
  • Define specific permissions for layouts, records, scripts, value lists, and more.
  • Use custom privilege sets to tailor access based on roles or departments.

Configuring OAuth Providers

Each OAuth provider requires specific steps to integrate with FileMaker Server. Below are detailed instructions for setting up Microsoft Azure Active Directory, Google OAuth, and Amazon OAuth.

Microsoft Azure Active Directory

Setting Up an Application in Azure

Step-by-Step Guide

1. Access Azure Portal:
   • Navigate to the Azure Portal.
   • Sign in with your Azure account credentials.
2. Register a New Application:
   • In the left-hand navigation pane, select Azure Active Directory.
   • Click on App registrations.
   • Click + New registration.
3. Configure Application Registration:
   • Name: Enter a meaningful name (e.g., “FileMaker Authentication App”).
   • Supported Account Types:
     • Choose who can use the application:
       • Accounts in this organizational directory only: For single-tenant applications.
       • Accounts in any organizational directory: For multi-tenant applications.
   • Redirect URI:
     • Set the type to Web.
     • Enter the redirect URI:bashCopy codehttps://your_fm_server_address/fmi/auth/oauth2/callback
   • Click Register.
4. Gather Application IDs:
   • After registration, you will be on the application’s Overview page.
   • Application (client) ID: Copy this value; it will be used as the Client ID in FileMaker Server.
   • Directory (tenant) ID: Copy this value; it will be used as the Tenant ID in FileMaker Server.
5. Create a Client Secret:
   • In the left-hand menu, select Certificates & secrets.
   • Under Client secrets, click + New client secret.
   • Description: Enter a description (e.g., “FileMaker Server Secret”).
   • Expires: Set the expiration period (recommend setting a rotation policy).
   • Click Add.
   • Value: Copy the client secret value (not the secret ID). You won’t be able to view it again after leaving the page.
6. Configure API Permissions (Optional):
   • If required, configure any necessary API permissions under API permissions.
   • For basic authentication, no additional permissions are typically needed.
7. Configure Manifest for Group Claims (If Using Groups):
   • In the left-hand menu, select Manifest.
   • Find the "groupMembershipClaims" setting.
   • Set its value to "SecurityGroup" or "All" depending on your needs.
   • Save the manifest.

Common Pitfalls and Solutions

• Incorrect Redirect URI:
  • Ensure the redirect URI in Azure matches exactly with what is configured in FileMaker Server.
  • Must use HTTPS and include the full path.
• Client Secret Not Saved:
  • The client secret value is only shown once. If you lose it, you’ll need to create a new one.
• Group Claims Not Configured:
  • If using group-based authentication, failing to configure group claims will prevent group information from being sent.
• Application Permissions:
  • Ensure that the application has the necessary permissions if accessing additional resources.

Configuring FileMaker Server for Azure AD

Detailed Instructions

1. Open FileMaker Server Admin Console:
   • Navigate to Configuration > Database Server > Security.
2. Enable Microsoft Azure AD:
   • Under OAuth providers, check Microsoft Azure AD.
3. Enter Azure AD Details:
   • Azure Client ID: Paste the Application (client) ID from Azure.
   • Azure Client Secret: Paste the Client Secret value.
   • Azure Tenant ID: Paste the Directory (tenant) ID.
4. Save and Restart:
   • Click Save or Apply.
   • Restart FileMaker Server to apply changes.

Testing the Configuration

1. Create a Test User in Azure AD:
   • In Azure AD, create a user or use an existing one.
   • Assign the user to any necessary groups if using group authentication.
2. Create an Account in FileMaker:
   • Open your FileMaker file.
   • Go to Manage Security.
   • Click New to create a new account.
   • Account Type: Choose Microsoft Azure AD.
     • User: Enter the user’s UPN or email address.
     • Group: If using groups, enter the Object ID of the group from Azure AD.
   • Assign an appropriate privilege set.
   • Save changes.
3. Test Login:
   • Open the FileMaker solution.
   • In the login dialog, click the Microsoft button.
   • You should be redirected to the Azure AD login page.
   • Enter the test user’s credentials.
   • After successful authentication, you should gain access to the FileMaker solution.

Google OAuth

Creating a Google API Project

Step-by-Step Guide

1. Access Google Cloud Console:
   • Navigate to the Google Cloud Console.
   • Log in with your Google account.
2. Create a New Project:
   • Click on the project dropdown at the top and select New Project.
   • Project Name: Enter a name (e.g., “FileMaker Authentication Project”).
   • Organization and Location: Choose as appropriate.
   • Click Create.
3. Enable APIs and Services:
   • With the new project selected, go to APIs & Services > Dashboard.
   • Click + ENABLE APIS AND SERVICES.
   • Search for and enable the Google+ API (if required) or other relevant APIs.
4. Set Up the OAuth Consent Screen:

Setting Up the OAuth Consent Screen

1. Configure Consent Screen:
   • In APIs & Services, select OAuth consent screen.
   • User Type: Choose External for testing or Internal for G Suite accounts.
   • Click Create.
2. App Information:
   • App Name: Enter a name (e.g., “FileMaker Authentication App”).
   • User Support Email: Select an email address.
   • App Logo: Optional.
3. Scopes:
   • Add scopes if necessary. For basic authentication, default scopes are sufficient.
4. Authorized Domains:
   • Add the domain of your FileMaker Server (e.g., yourdomain.com).
5. Developer Contact Information:
   • Enter your email address.
6. Save and Continue:
   • Complete any additional steps and save the configuration.

Continue with Credentials Setup

1. Create OAuth Client ID:
   • Go to Credentials.
   • Click + CREATE CREDENTIALS > OAuth client ID.
   • Application Type: Select Web application.
   • Name: Enter a name (e.g., “FileMaker OAuth Client”).
   • Authorized JavaScript Origins: Leave blank unless necessary.
   • Authorized Redirect URIs:
     • Enter:bashCopy codehttps://your_fm_server_address/fmi/auth/oauth2/callback
   • Click Create.
2. Obtain Client ID and Secret:
   • After creation, a dialog will display the Client ID and Client Secret.
   • Copy both values for use in FileMaker Server configuration.

Configuring FileMaker Server for Google OAuth

Detailed Instructions

1. Open FileMaker Server Admin Console:
   • Navigate to Configuration > Database Server > Security.
2. Enable Google OAuth:
   • Under OAuth providers, check Google.
3. Enter Google OAuth Details:
   • Google Client ID: Paste the Client ID obtained from the Google Cloud Console.
   • Google Client Secret: Paste the Client Secret.
4. Save and Restart:
   • Click Save or Apply.
   • Restart FileMaker Server to apply changes.

Testing the Configuration

1. Create an Account in FileMaker:
   • Open your FileMaker file.
   • Go to Manage Security.
   • Click New to create a new account.
   • Account Type: Choose Google.
   • User: Enter the user’s Google email address.
   • Assign an appropriate privilege set.
   • Save changes.
2. Test Login:
   • Open the FileMaker solution.
   • In the login dialog, click the Google button.
   • You should be redirected to the Google login page.
   • Enter the test user’s Google credentials.
   • After successful authentication, you should gain access to the FileMaker solution.

Amazon Cognito

Setting Up a User Pool in Cognito

Step-by-Step Guide

1. Access AWS Management Console:
   • Navigate to the AWS Console.
   • Log in with your AWS account.
2. Navigate to Amazon Cognito:
   • In the services menu, select Cognito under the Security, Identity, & Compliance section.
3. Create a User Pool:
   • Click Manage User Pools.
   • Click Create a user pool.
   • Pool Name: Enter a name (e.g., “FileMakerUserPool”).
4. Configure User Pool Settings:
   • Attributes: Select required attributes (e.g., email).
   • Policies: Configure password policies.
   • MFA and Verification: Set up multi-factor authentication if desired.
   • Message Customizations: Customize messages sent to users.
   • Tags: Optional.
   • Devices: Optional.
   • Triggers: Optional.
5. Set Up App Client:
   • Under App clients, click Add an app client.
   • App Client Name: Enter a name (e.g., “FileMakerAppClient”).
   • Generate Client Secret: Do not check this option; FileMaker Server does not support client secrets with Amazon OAuth.
   • Click Create App Client.
   • Note the App Client ID.
6. Configure Domain Name:
   • In the left-hand menu, select Domain name.
   • Enter a unique domain prefix (e.g., “filemakerauth”).
   • Click Check availability.
   • If available, click Save.
7. Set Up App Client Settings:
   • Under App Integration, select App client settings.
   • Enabled Identity Providers: Check Cognito User Pool.
   • Callback URL(s):
     • Enter:bashCopy codehttps://your_fm_server_address/fmi/auth/oauth2/callback
   • OAuth 2.0 Scopes:
     • Check email, openid, and profile.
   • Click Save Changes.

Important Settings and Configurations

• Client Secret:
  • Do not generate a client secret for the app client; FileMaker Server’s integration with Amazon does not support client secrets.
• Domain Name:
  • The domain name is required for hosting the Amazon Cognito authentication pages.
• Scopes:
  • Ensure that the necessary scopes are selected to provide the required user information.

Configuring FileMaker Server for Amazon OAuth

Detailed Instructions

1. Open FileMaker Server Admin Console:
   • Navigate to Configuration > Database Server > Security.
2. Enable Amazon OAuth:
   • Under OAuth providers, check Amazon.
3. Enter Amazon OAuth Details:
   • Amazon Client ID: Paste the App Client ID obtained from Amazon Cognito.
   • Amazon Client Secret: Leave this field blank since no client secret is used.
   • Additional Settings:
     • If required, enter the Domain Prefix configured in Cognito.
4. Save and Restart:
   • Click Save or Apply.
   • Restart FileMaker Server to apply changes.

Testing the Configuration

1. Create a User in Cognito User Pool:
   • In Cognito, navigate to Users and groups.
   • Click Create user.
   • Enter user details (username, email, temporary password).
2. Create an Account in FileMaker:
   • Open your FileMaker file.
   • Go to Manage Security.
   • Click New to create a new account.
   • Account Type: Choose Amazon.
   • User: Enter the user’s email address associated with their Amazon account.
   • Assign an appropriate privilege set.
   • Save changes.
3. Test Login:
   • Open the FileMaker solution.
   • In the login dialog, click the Amazon button.
   • You should be redirected to the Amazon Cognito login page.
   • Enter the test user’s credentials.
   • After successful authentication, you should gain access to the FileMaker solution.

External Authentication in FileMaker Go and WebDirect

External Authentication is not limited to FileMaker Pro; it is also supported in FileMaker Go (iOS) and FileMaker WebDirect (web browser access). This ensures a consistent authentication experience across different platforms.

EA in FileMaker Go

• User Experience:
  • When accessing a FileMaker solution that uses EA, FileMaker Go will present the same login dialog with options to authenticate via OAuth providers.
• Process:
  1. User taps on the hosted solution in FileMaker Go.
  2. The login dialog appears with buttons for the enabled OAuth providers.
  3. User taps on an OAuth provider button.
  4. FileMaker Go opens the default web browser (e.g., Safari) to handle the OAuth authentication.
  5. After successful authentication, the browser redirects back to FileMaker Go, and the user gains access to the solution.
• Considerations:
  • Browser Interaction: Requires switching between FileMaker Go and the web browser.
  • Cached Credentials: Be cautious of stored credentials in the mobile browser, which may affect the authentication process.

EA in FileMaker WebDirect

• User Experience:
  • Users access FileMaker solutions via a web browser.
  • The login page presents options to authenticate using OAuth providers.
• Process:
  1. User navigates to the WebDirect URL of the FileMaker Server.
  2. The list of available databases is displayed.
  3. Upon selecting a database, the login page appears with OAuth provider buttons.
  4. User clicks on an OAuth provider button.
  5. The browser redirects to the provider’s login page.
  6. After authentication, the user is redirected back to WebDirect and gains access.
• Considerations:
  • Browser Compatibility: Ensure that the browser used is supported by FileMaker WebDirect.
  • Session Management: WebDirect sessions may be affected by browser caching and cookies.

Considerations and Limitations

• OAuth Limitations:
  • Some OAuth providers may not support certain features on mobile devices.
  • Ensure that the OAuth provider’s authentication pages are mobile-friendly.
• User Experience:
  • The redirection process may vary slightly between platforms due to differences in how mobile and desktop browsers handle redirects.
• Security:
  • Be aware of the security implications of using external browsers for authentication, especially on shared devices.

Troubleshooting External Authentication

Implementing EA can introduce complexities that may lead to authentication issues. Understanding common problems and how to resolve them is crucial for a smooth deployment.

Common Issues and Solutions

SSL Certificate Issues

• Problem:
  • Authentication fails because the SSL certificate is invalid, expired, or not trusted.
• Solution:
  • Ensure that a valid SSL certificate from a trusted CA is installed on FileMaker Server.
  • Verify that the certificate matches the server’s FQDN.
  • Test the SSL connection using external tools or browsers to check for warnings or errors.

Incorrect Client ID/Secret

• Problem:
  • Authentication fails due to incorrect client credentials.
• Solution:
  • Double-check the Client ID and Client Secret entered in FileMaker Server.
  • Ensure that the credentials correspond to the correct application or project in the OAuth provider’s console.
  • Be cautious of extra spaces or characters when copying and pasting.

Redirect URI Mismatch

• Problem:
  • The OAuth provider rejects the authentication request because the redirect URI does not match.
• Solution:
  • Verify that the redirect URI registered with the OAuth provider matches exactly what is configured in FileMaker Server.
  • Ensure the URI uses HTTPS and includes the full path (e.g., /fmi/auth/oauth2/callback).
  • Update the redirect URI in the OAuth provider’s console if necessary.

User Not Found

• Problem:
  • After successful authentication, the user receives an error stating that they do not have access.
• Solution:
  • Confirm that the user’s account is correctly set up in the FileMaker file with the appropriate authentication type.
  • For group-based authentication, ensure the user is a member of the specified group.
  • Check for case sensitivity in usernames and group names.

Browser Cache Issues

• Problem:
  • Users are automatically logged in with cached credentials, or authentication fails due to old sessions.
• Solution:
  • Instruct users to clear their browser cache and cookies.
  • Encourage users to log out of external accounts if shared devices are used.
  • Be aware of browser-specific behaviors related to caching and session management.

Firewall and Network Connectivity

• Problem:
  • Authentication requests fail due to network issues or blocked ports.
• Solution:
  • Ensure that the necessary ports (e.g., 443 for HTTPS) are open and properly forwarded to the FileMaker Server.
  • Verify that the server is accessible from the internet using its FQDN.
  • Check for any network devices or policies that might be blocking traffic.

Testing EA Configurations

Using Test Accounts

• Create Dedicated Test Users:
  • Set up test user accounts in the external identity provider to safely test authentication without impacting real users.
• Test Different Scenarios:
  • Verify authentication for users with different privilege sets and group memberships.
  • Test both successful and failed authentication attempts.

Analyzing Logs for Troubleshooting

• FileMaker Server Logs:
  • Review the Event.log and Access.log located in the FileMaker Server Logs directory.
  • Look for error messages or warnings related to authentication.
• OAuth Provider Logs:
  • Some providers offer logs or monitoring tools to track authentication attempts.
  • Check for any errors or rejected requests.
• Browser Developer Tools:
  • Use browser developer tools to inspect network requests and responses during the authentication process.

Network Connectivity Checks

• Ping and Traceroute:
  • Use ping and traceroute to test connectivity to the FileMaker Server from external networks.
• Port Scanning Tools:
  • Verify that necessary ports are open using tools like nmap or online port scanners.
• DNS Resolution:
  • Ensure that the server’s FQDN resolves correctly to its public IP address.

Security Considerations

Implementing EA introduces new security aspects that must be carefully managed to protect your FileMaker solutions and user data.

Multi-Factor Authentication (MFA)

• Enhance Security:
  • Utilize MFA features provided by external identity providers to add an extra layer of security.
• Provider Support:
  • Ensure that the provider’s MFA implementation is compatible with the authentication flow used by FileMaker Server.
• User Training:
  • Educate users on how to use MFA and the importance of securing their authentication methods.

Password Policies and Complexity

• Enforce Strong Passwords:
  • Rely on the external provider’s password policies to enforce complexity, expiration, and reuse rules.
• Consistency Across Systems:
  • By centralizing authentication, maintain consistent password policies across multiple applications.

Session Management and Browser Caching

• Manage Sessions Carefully:
  • Be aware that browsers may cache authentication tokens or credentials.
• Logout Mechanisms:
  • Implement proper logout mechanisms in your FileMaker solutions to end sessions securely.
• Shared Devices:
  • Advise users against using shared devices for authentication or ensure they log out completely.

Group Management Best Practices

• Principle of Least Privilege:
  • Assign users the minimal level of access necessary for their role.
• Regular Review:
  • Periodically review group memberships and privilege sets to ensure they are up to date.
• Automated Provisioning:
  • If possible, integrate with identity management tools to automate user provisioning and deprovisioning.

Regular Audits and Compliance

• Security Audits:
  • Conduct regular security audits to identify potential vulnerabilities.
• Compliance Requirements:
  • Ensure that your authentication methods meet any regulatory requirements (e.g., GDPR, HIPAA).
• Logging and Monitoring:
  • Maintain logs of authentication attempts and access for auditing purposes.

Conclusion

External Authentication in FileMaker provides a powerful means to enhance security, streamline user management, and integrate seamlessly with existing identity management systems. By leveraging EA options such as Active Directory, Open Directory, and OAuth providers like Google, Amazon, and Microsoft Azure, organizations can centralize authentication processes and enforce consistent security policies across their applications.

Implementing EA requires careful planning, configuration, and testing. Understanding the intricacies of each authentication method, adhering to best practices, and being vigilant about security considerations are essential for a successful deployment. With the detailed guidance provided in this comprehensive guide, you are well-equipped to set up and manage external authentication in your FileMaker solutions effectively.

References

Official Documentation

• Claris FileMaker Security Guide:
  • FileMaker 19 Security Guide
• FileMaker Server Help:
  • FileMaker Server 19 Help
• OAuth 2.0 Specification:
  • RFC 6749 – The OAuth 2.0 Authorization Framework

Microsoft Azure

• Azure Active Directory Documentation:
  • What is Azure Active Directory?
• Register an Application with Azure AD:
  • Quickstart: Register an application with the Microsoft identity platform

Google Cloud Platform

• Google OAuth Documentation:
  • Using OAuth 2.0 to Access Google APIs
• Google Cloud Console:
  • Google Cloud Console

Amazon Web Services

• Amazon Cognito Developer Guide:
  • What is Amazon Cognito?
• AWS Management Console:
  • AWS Console

Additional Resources

• LDAP Overview:
  • Understanding LDAP
• Active Directory Documentation:
  • Active Directory Documentation
• Open Directory Administration:
  • Apple Open Directory Administration

By thoroughly understanding and carefully implementing external authentication options, you can significantly enhance the security and efficiency of your FileMaker solutions. This guide serves as a comprehensive resource to navigate the complexities and leverage the full potential of EA in the FileMaker Platform.

Source:

https://www.soliantconsulting.com/blog/filemaker-oauth-external

Files:

https://community.claris.com/en/s/article/adv002—external-authentication-options–ea–sso–ad–od–oauth–ldap—wim-decorte

Video