Claris FileMaker Sign in with Apple


New, But Not New

Sign in with Apple (SIWA) is marketed as a new feature in FileMaker Server 19.6, but in reality, you have been able to use it for a while now since SIWA is just another OAuth-compliant identity provider. Steven Blackwell and I wrote a white paper a few years ago that outlines how you can configure SIWA and configure your FileMaker Server to use it.

That means that if you are on an older version of FileMaker Server, you can also use Apple ID as a means to authenticate your users.

19.6 certainly makes it easier to configure FileMaker Server since you have a dedicated area in the Admin Console to input your settings:

Dedicated Administration area in the FileMaker Server 19.6 Admin Console
Administration area in the FileMaker Server Admin Console

The other benefit of using FileMaker Server is that you can let the users use Apple’s Hide My Email. At least to some extent.

Normally a user can make that choice at the moment they sign up for a service. That part does not work with FileMaker solutions. The user will need to generate a randomized email address ahead of time; that email address needs to be added as an active account in the FileMaker solution before the user can log into your solution.

You will see how that works later in this blog post.

Configuring Sign in with Apple

First, let’s set things up on the Apple side. You will need an Apple Developer subscription for this.

Log in at Apple’s Developer website:
https://developer.apple.com/account/resources/identifiers/list

While there, first make a note of your Team ID; you will need that later.

Apple Developer website
Make note of your Team ID

Pick App IDs and continue:

Creating a new identifier on the Apple Developer website
Click the + icon to add a new identifier

Pick App IDs and continue:

Select App IDs to register a new identifier
Select App IDs to register a new identifier

Pick App:

Select 'App' for type to register the new identifier
Select App for the identifier type

Add a description and a Bundle ID in the recommended reverse domain syntax:

Add a description and Budle ID for the App ID
Add the description and Bundle ID

And scroll down to select Sign In With Apple and choose Continue

Select 'Sign in with Apple'
Select Sign in with Apple

On the final screen, review your settings and choose Register:

Choose 'Register' to finish setting up Sign in with Apple
Click the Register button

This land you back on the Identifiers screen. Select the + button once more, and this time select Service IDs:

Select 'Services IDs' under 'Register a new identifier'
Select ‘Services IDs’

Name it in the normal reverse domain name fashion (the example uses the same as the App ID but with .serviceid added to it).

Add a name for the Services ID
Enter a name for the Services ID

Click Continue and then Register to save it.

Then select your new service id from the list to configure it:

Click on the 'Continue' button
Click the ‘Continue’ button

Enable Sign in with Apple, and in the popover window, select your App ID at the top. Fill in the DNS name of your FileMaker server and the full OAuth redirect URL for your FileMaker Server:

Enable 'Sign in with Apple'
Enable Sign in with Apple

Select Next and then Done to navigate back to the Service ID.

Click on the 'Continue' button to save the Services ID configuration
Click Continue to save the Services ID configuration

And Continue to save it.

In OAuth terminology, the Service ID serves as the client ID. The next steps are about creating a client secret to go with that.

From the menu on the right, select Keys and click the + button to create a new key.

Click on the plus icon to create a new key
Click the + button to create a new key
Enter a meaningful name for the key
Add a meaningful name for the key

Click Configure and select your App ID:

Select your Apple ID
Select your Apple ID

Save the settings and continue to where you can Register your key:

Save your setting and register the key
Save your settings and register the key

Take note of your Key ID, and download the private key that Apple has generated; it will be a file with a .p8 extension. Keep that one secured as one does with private keys.

With this private key, you can generate the client secret that will go here:

Make note of the private key that Apple generated
Make note of the private key

The instructions provided by Claris tell you to create a Ruby script at this point to generate that client secret.

You do not need to install Ruby on your FileMaker Server for this. If you are a macOS user, then you already use Ruby, but if you are a Windows user, you can consider using a different approach.

One such approach is our open-source project on GitHub that uses JavaScript instead of Ruby. It is implemented as an API that you call with the relevant pieces of data, and it will return the JWT that is your client secret. The required JSON is described in the readme and consists of the contents of the p8 private key, your Apple Developer Team ID, the client ID (aka Service ID), and the name of the key (Key ID).

JSON payload and client secret
Client secret is valid for a maximum of 180 days

Note that the client secret has a maximum validity of 180 days. So you will have to regenerate a secret before your current one expires.

Configuring FileMaker Server

The External Authentication Section

Expand the Apple area under External Authentication and add the Service ID (aka client id) and the client secret you have generated:

Add the Service ID and Client secret
Under Apple, add the Service ID and Client secret

Save the settings, and in the bottom part of the screen, don’t forget to enable External Server Accounts and enable Apple:

Enable 'External Server Accounts' and 'Apple' by moving the slider to the right
Enable External Server Accounts and Apple

The Notifications Section

For most external identity providers, that is all that you need to do. But for Sign in with Apple, you also need to enable the SMTP configuration. When a user first logs into your solution with SIWA, they will be sent an email with a one-time code.

You will need a valid SMTP setup in this section.

A valid SMTP setup is required for notifications
A valid SMTP setup is required to configure notifications

The Login Experience

For the user, logging in starts as usual by clicking the identity provider button on the login dialog:

Click on the identity provider button
Click on the identity provider button

This will trigger an authentication through the user’s Apple ID, and that may take different forms depending on their machine’s OS and what preferences the user has set for her- or himself.

Dialog window to authenticate through the user's Apple ID
Authentication through the user’s Apple ID

Once Apple is satisfied that you are who you say you are, control is passed back to FileMaker, and FileMaker will ask the user for an email address to send a code to:

Enter the verfication code sent to the email address
User enters verification code sent to their email address

This is where your FileMaker Server SMTP settings come into play. FileMaker Server sends out the email with the one-time code, and the user has 5 minutes to enter it:

A one-time use code is sent to the user's email
A one-time use code is sent to the user’s email

If the code is accepted, the user is let into the solution. The Get(AccountType) will say Apple ID, and their account name will be their Apple ID email.

After the verification code is accepted, the user is allowed into the solution
The user is allowed into the FileMaker solution after the verification code is accepted

The next time the user logs into your solution, they will not need to use the one-time code method. FileMaker Server adds their account to an encrypted config file kept in the FileMaker Server preferences:

The verified account is added to the encrypted config file
Verified account is added to the encrypted config file

Hide My Email

One of the prominent features of Sign in with Apple is that it allows you to give out a randomized email address instead of your actual Apple ID email address.

Typically, this is done as part of the workflow when you sign up for a new service. FileMaker’s security scheme does not have a self-service sign-up process, so you will need to know what the user’s fake email address is ahead of time so that you can add it to the solution. Once you have done that, then the user can sign into your solution with that fake email address.

There are a few different ways that a user can generate such a fake email. If they are on macOS, they can go to System Preferences and select Apple ID and go into the Hide My Email options.

macOS System Preferences with Apple ID button highlighted
Click on the Apple ID button in macOS System Preferences
Click the 'Options' button for Hide My Email
Click on the Options button Hide My Email

There they can add a new randomized fake email that will be linked to their Apple ID:

Click the plus button to add a fake email to 'Hide My Email'
Click the + button to add a fake email
Confirmation window showing fake email added to Hide My Email
Confirmation window showing the fake email is added to Hide My Email

You can then add that email address to your accounts in the FileMaker solution:

Mark the 'Active' checkbox to add the fake email to accounts in your FileMaker solution
Mark the Active checkbox to add the fake email to accounts in your FileMaker solution

The user can then log into the solution by authenticating at Apple with their normal Apple ID credentials, but they will be known to your solution only as their alias.

Users can also generate an alias email online in their iCloud settings:

Click on the 'Manage' button for 'Hide My Email' in iCloud Setting to add the alias email
Click the Manage button in iCloud Setting to add the alias email

Caveats

As mentioned earlier, you will need to set your FileMaker Server up with access to an SMTP account. If you do not want that, you can still use Sign in with Apple by adding it as a custom OAuth provider following the white paper linked earlier in this blog post.

While it may be obvious, it is worth repeating: Apple IDs are individual accounts and need to be added as such to your FileMaker solution. There is no concept of groups, which can make account management a chore. If you need group-based privilege management in your solution, you can consider using an identity provider that allows the brokerage to SIWA.

Conclusion

While not exactly new, using Sign in with Apple now has a dedicated config area in FileMaker Server, which makes it easier to set up Apple ID as an authentication method.

If you are interested in what is possible with various OAuth-based identity providers and your FileMaker solutions, then you will find a whole series of blog posts here.

2 thoughts on “Claris FileMaker Sign in with Apple”

  1. I’m lost at creating a client secret. there’s no link to Claris’ documentation regarding ruby, and the link to the GitHub code is broken… can you point me in the right direction?

    Otherwise this article was really well laid out.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top