External authentication for database access (FileMaker Server only)

FileMaker Server authenticates users with FileMaker accounts defined within a FileMaker Pro database. In addition, FileMaker Server supports authentication with the following externally defined accounts and groups:

  • Windows or macOS accounts and groups locally defined on the primary machine

  • Apple Open Directory, Windows Active Directory, and Linux Active Directory using Active Directory Federation Services (AD FS), which can be on a centrally-managed authentication server.

  • OAuth identity providers including Login with Amazon, Google Identity Platform, Microsoft, Apple, Custom OAuth, and AD FS. See Using an OAuth identity provider to authenticate FileMaker clients (FileMaker Server only).

If you're hosting FileMaker Pro database files with FileMaker Server, you can use your existing authentication server to control access to databases without having to manage an independent list of accounts in each FileMaker Pro database file.

On the Administration > External Authentication tab, if you enable External Server Accounts under Database Sign In, the client access privileges are determined by the accounts defined in the hosted databases and by accounts that are defined on the primary machine or on an authentication server. Using FileMaker Pro, you specify in a database whether an account is authenticated using a FileMaker account or to an external authentication server. These are Active Directory accounts (Windows and Linux), Open Directory accounts (macOS), or OAuth identity provider accounts.

Depending on the specific network configuration, an external authentication server on one platform can authenticate users on the other platform. In other words, a macOS user might be authenticated by Active Directory, or a Windows user might be authenticated by Open Directory in macOS Server.

If you enable External Server Accounts, records of all login attempts are logged in the Windows Security Log, if the primary machine is a Windows machine. For information about the Security Log, see your Windows documentation.

Important  When a database file contains one or more external server accounts, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. Group names for accounts authenticated with the external server feature are stored as text strings. If the group name is reproduced on another system, the copied file can be accessed with the privilege set assigned to the members of the group, which might expose data inappropriately.

Notes 

  • For more information about creating accounts that authenticate via an external server, see Claris Pro and FileMaker Pro Help.

  • Linux: In FileMaker Pro, you don't need to create separate accounts for external groups in the Manage Security dialog box since AD FS uses existing external groups. See Claris Pro and FileMaker Pro Help.

  • Go to the Knowledge Base and search for articles containing the keywords external, authentication and External authentication for Linux (and optionally cross-platform).