FileMaker Cloud 2.1 – Authenticate Users Against Active Directory

When Claris launched Cloud 2.1, its “FileMaker Server in the Cloud” product introduced the capability to let users sign in with accounts other than their FileMaker ID, specifically using either Okta or ADFS authentication. In my blog post from February 24, you will find a walkthrough of how to set up Okta as the Identity Provider (IdP) for client authentication in FileMaker.

Using Active Directory Federation Services (ADFS)

Besides Okta, you can also use Active Directory accounts through Active Directory Federation Services (ADFS). To be clear, ADFS is not Azure AD (Microsoft’s Active Directory in the cloud); rather, ADFS allows you to use your on-premise Active Directory. FileMaker Cloud 2.1 does not currently work with Azure AD. This is different than the on-premise regular version of FileMaker Server, which can work with both on-premise AD and Azure AD.

ADFS is a component you install on Windows Server, a role that you add to the server. For this walkthrough, you must already have a working on-premise Active Directory and have ADFS installed.

Figure 1: Screenshot of selecting server roles in the Add Roles and Features Wizard
Figure 1: Server roles

Note: because ADFS requires the Windows IIS web server and access on port 443, it is not a good idea to install the ADFS role on a machine running FileMaker Server.

For this example, the AD domain is named soliantdev.cloud, and we have two groups: FM_managers and FM_staff. And two users: Jane Manager, who belongs to both groups, and Joe Staff, who only belongs to the FM_staff group.

Figure 2: Screenshot of the groups and users on the Active Directory domain
Figure 2: Groups and users

Make sure that each user has their email set since that property will be used to identify the user as set up in the FileMaker Cloud subscription.

Figure 3: Screenshot of entering user properties
Figure 3: Enter user email

Most of the setup is done in ADFS, which you will then follow up by configuring the ADFS service in your FileMaker Cloud subscription to make the two connect. The official documentation is in the FileMaker Knowledge Base.

On the server where you installed the ADFS role (which may or may not be your AD server), open the ADFS management console from the Server Manager utility.

Figure 4: Screenshot of the Tools popup and seleting AD FS Management
Figure 4: Select ‘AD FS Management’ under Tools to open the console

Right-click Application Groups to add a new one.

Figure 5: Screenshot of contextual menu that appears when right clicking on Application Groups
Figure 5: Select ‘Add Applications Group…’ in the contextual menu

From the available options, choose Server application accessing a Web API and give the setup a meaningful name.

Figure 6: Screenshot of the Template options
Figure 6: Select ‘Server application accessing a Web API’ under the Template

On the next screen, make a note of the client id that is generated for you (you will need it later), and add the standard FileMaker Cloud redirect URL (https://my.filemaker.com/login).

Figure 7: Screenshot of the Server application step and the generated client ID
Figure 7: Make note of the generated client ID for later use

On the next screen, let the wizard generate a new client secret and also save that for later; you will need it when configuring FileMaker Cloud.

Figure 8: Screensho tof the Configure Application Creditionals step and the generated client secret
Figure 8: Generated client secret

Enter the client ID that you had saved earlier for the identifier on the Configure Web API screen:

Figure 9: Screenshot of the Configure Web API step and entering the client ID saved from earlier
Figure 9: Enter the client ID

You can accept all the defaults for the Access Control Policy.

Figure 10: Screenshot of the Apply Access Control Policy step - accept all defaults
Figure 10: Accept all defaults

In the Configure Application Permissions section, we select what data from the user’s account will flow to FileMaker Cloud once the user is authenticated. If you have set up any other OAuth provider, you will recognize this as what is typically referred to as ‘scope.’ Make sure to select allclaims, email, openid, and profile.

Figure 11: Screeshot of the Configure Application Permissions - select data to flow to FileMaker Cloud
Figure 11: Select the data that will flow to FileMaker Cloud from user’s account

Step through the rest of the wizard to complete the settings, and then right-click the application group and choose Properties:

Figure 12: Screenshot of the Application Group step and selecting Properties
Figure 12: Select Properties</strong

Pick the Web API entry and click Edit.

Figure 13: Screenshot of the FMC2 Properties and selecting 'FMC2- Web API under 'Applications'
Figure 13: Select FMC2 – Web API

On the Issuance Transform Rules, add a rule; this is where the user’s AD account properties will be translated into OAuth OpenID Connect properties so that FileMaker Cloud will receive an id_token in the correct format.

Figure 14: Screenshot of FMC2 - Web API Properties with the Issuance Tranform Rules tab active
Figure 14: Click Add Rule under the Issuance Transform Rules tab

Select Send LDAP Attributes as Claims.

Figure 15: Screenshot of the Add Tranform Claim Rule Wizard and the Choose Rule Type step
Figure 15: Select the rule template

On the next screen, name the rule profile, make sure Active Directory is set as the Attribute store, and set the mapping as in the screenshot below. Note that for the right-hand side, you can pick from the value list provided, but for the right-hand side, you have to manually type the two entries indicated (and they are case sensitive).

Figure 16: Screenshot of the Add Transform Claim Rule Wizard and the Configure Claim Rule step
Figure 16: Name the rule profile

Click Finish to save the settings and verify that on the Client Permissions tab, the indicated selections are active.

Figure 17: Screenshot of the FMCS - Web API Properties with the Client Permissions tab active
Figure 17: Verify selections are active

Click Apply to save and OK to dismiss the Properties dialog. Still in the ADFS Manager tool, select Edit Federation Service Properties from the right-hand pane:

Figure 18: Screenshot of the AD FS Manager tool - with the Actions meu in the right-side pane
Figure 18: Select Edit Federation Service Properties… in the Actions pane

Make sure that the Federation Service Identifier has the proper HTTPS prefix.

Figure 19: Screenshot of the Federation Service Properties highlighting the Federation Service identifier
Figure 19: Make sure the HTTPS prefix is used

At this point, you are done with the ADFS configuration on your server. But before you log out of your server, there is one more piece of information to collect. Open a PowerShell command line window and type in the following command:

Figure 20: Screenshot of the PowerShell command line
Figure 20: Enter Get-AdfsProperties in the command line

And scroll down the list until you see IdTokenIssuer and make a note of that URL. You will need it for the FileMaker Cloud configuration.

Figure 21: Screenshot of command line with the IdTokenIssuer highlighted
Figure 21: Note the URL for the IdTokenIssuer

Log into your FileMaker Cloud subscription and click on the Settings header. At the bottom you will find the section to set up an external IdP:

Figure 22: Screenshot the External IdP Accounts section
Figure 22: External IdP Accounts section

On the very first dialog, enter the URL for the IdTokenIssuer that you collected from the ADFS properties and the Client ID from setting up the Application Group in the ADFS Manager.

Figure 23: Screenshot of the Team Identity Provider dialog
Figure 23: Enter URL for the IdTokenIssuer

If your ADFS server is reachable through the internet on that URL, you will be prompted to name this IdP setup for the Client Secret that was generated earlier.

Figure 24: Screenshot of the FInish setting up dialog
Figure 24: Name the IdP setup

The next step is to confirm that the authentication setup works correctly.

Figure 25: Screenshot of the Verify the identity provider setup dialog
Figure 25: Confirm the authentication setup works correctly

When you click the Sign In button, you should log in with any of your AD accounts:

Figure 26: Screenshot of the Sign In
Figure 26: Sign in with any of your Active Directory accounts

And if everything is configured properly, FileMaker Cloud will show you the success status:

Figure 27: Screenshot of the setup success dialog
Figure 27: Setup successful status

There are two more steps to take to make sure your AD users can access your FileMaker solution hosted on FileMaker Cloud:

  1. Invite your users to your FileMaker Cloud subscription as licensed users.
  2. Add them to your existing FileMaker Cloud user groups if you are using group-based authentication or add them individually to your FileMaker security schema in your FileMaker file.

To invite users, click on Users in your FileMaker Cloud Customer Console and click the blue Invite Users button.

Figure 28: Screenshot of the FileMaker Cloud Customer Console highlightng the Invite New User button
Figure 28: Click the Invite New User button

Invite the user by their email address and make sure to toggle the Licensed User setting and the bottom selection that will flag them as a user from the external IdP.

Figure 29: Screenshot of the Invite New User dialog and entering the user's email address
Figure 29: Enter the user’s email address

While you wait for the users to respond to the invitation, you can add them to the relevant groups in the Groups section of your FileMaker Cloud subscription. Or add them individually to the security schema in your FileMaker files. (We highly recommend group authentication though.)

That user will receive an invitation in their email box where they can initiate their join-up:

Figure 30: Screenshot of the email invitation sent to the user
Figure 30: Email invitation

When they click the Join link, their browser will guide them through the process

Figure 31: Screenshot of the dialog to start the Join process
Figure 31: Click Continue to begin the join process

At the end of this, they will be logged into their own customer console and will see the files listed in which have an active account.

Figure 32: Screenshot of the customer console after completing the join process
Figure 32: Customer console

Just like any other FileMaker Cloud user, they can download FileMaker Pro from here if they do not already have it.

In FileMaker Pro they can log in through the normal FileMaker ID mechanism, which will transfer them to the ADFS login page for authentication:

Figure 33: Screenshot of sign in
Figure 33: Sign in

FileMaker Cloud recognizes that the user belongs to the external IdP (see Figure 34) and redirects to the ADFS login page (see Figure 35).

Figure 34: Screenshot of FileMaker Cloud recognizing that the user belongs to the external IdP
Figure 34: Sign in with external IdP
Figure 35: Screenshot of AD FS login that user is redirected to after using their team's external identity provider
Figure 35: ADFS login

After a successful login there, the user is granted access to Soliant Consulting Inc subscription:

Figure 36: Screenshot of successful login that shows user is granted access to the subscription
Figure 36: User is granted access to the subscription

Next Steps

If you have any questions about this process or need assistance with your own FileMaker solution, please contact our team. We are happy to help.

2 thoughts on “FileMaker Cloud 2.1 – Authenticate Users Against Active Directory”

  1. Wim, thanks so much for this series of posts. After some trial and error, we found that Microsoft Azure AD can be configured for use as an external identify provider for Claris ID accounts. The “trick” was finding the correct Issuer URI. For Azure AD, use the endpoint named “OAuth 2.0 authorization endpoint (v2)” and strip off the last part of the URI, “/oauth2/v2.0/authorize”, leaving something like:

    https://login.microsoftonline.com/########-####-####-####-############

    The remaining steps are similar to configuring Azure AD for OAuth in FileMaker Server.

    I’m probably not the first to discover this, but I wanted to add this comment here since your excellent article is near the top of the search results for this topic.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top