Security is in Soliant Consulting’s DNA, which is why our team has been pushing so hard on exploring and documenting various ways you can securely authenticate the users who need access to your FileMaker apps. This is especially crucial if they also need to use the same security identity across other non-FileMaker solutions. So instead of using native FileMaker accounts, what are your options?
We’ve described many of them in a recent blog post and provided a bit of a history of the features in the FileMaker platform over the last dozen versions.
The disparity between the regular version of FileMaker Server and the FileMaker Cloud version is intriguing and needs to be tracked; the authentication requirements that you or your clients may have can force the choice of one over the other.
The most recent 2.1 update to FileMaker Cloud provides the ability to use Active Directory Federation Services (AD FS) to use your on-premise Active Directory for managing your users and the groups to which they belong. We documented the setup here. At the time, it struck us that it was an authentication option only available with FileMaker Cloud, so we set out to do some more exploration. We learned that AD FS can, in fact, be used with the regular version of FileMaker Server as well since it supports the required OpenID Connect OAuth flow.
Steven Blackwell and I added a white paper to our OAuth series to explain why you or your clients may want to use it, and when you do, how to set it up. That white paper is available here.
The authentication landscape currently looks like below. Note that we’ve tested all the Identity Providers (IdP) listed here. The bottom row in the table is there as a reminder that any IdP supporting the proper OAuth flow can most likely be integrated with your FileMaker apps.
| Identity Provider | FileMaker Server | FileMaker Cloud (2.x) |
|---|---|---|
| On-premise Active Directory | Yes | No |
| On-premise Open Directory | Yes | No |
| Local accounts & groups in the OS of the FileMaker Server machine | Yes | No |
| Active Directory Federation Service | Yes | Yes |
| Okta | Yes | |
| Ping | Yes | No |
| OneLogin | Yes | No |
| Auth0 | Yes | No |
| MiniOrange | Yes | No |
| Azure AD | Yes | Partial (works with WebDirect but not FileMaker Go) |
| Amazon | Yes (individual accounts only) | No |
| Yes (individual accounts only) | No | |
| FileMaker ID | No | Yes |
| Any IdP using the Open ID Connect OAuth Flow | Yes | No |
As always, reach out to us here or on the Claris Community Forum with questions or suggestions.
Thanks Wim for sharing those valuable informations and for your time to test all those different Identity Providers. If I understand correctly, FileMaker Server requires that the IdP use the OpenID Connect Standard. Is SAML2 supported or it is limited to OpenID Connect?
Thanks!
The functionality is limited to OpenID Connect only. However you can certainly use any of the supported IdPs that support OIDC to be the identity broker to a provider that only supports SAML. Next week we will release a white paper that uses Red Hat’s Keycloak as the IdP, using Keycloak – since it is free – would be a good option in such a setup. We may do a white paper in the near future that demonstrates that.