Protecting databases > Managing accounts > Creating accounts that authenticate via an external server
 
Creating accounts that authenticate via an external server
If you’re hosting FileMaker Pro files with FileMaker Server and your organization uses centrally managed authentication for users and groups, such as Apple Open Directory or a Windows domain, you can set up accounts that authenticate users based on your authentication server. This allows you to use your existing authentication server to control access to databases without having to manage an independent list of accounts in each FileMaker Pro database file.
Note  Although you can set up accounts for external authentication servers in FileMaker Pro, only database files hosted by FileMaker Server can authenticate users against an authentication server. Database files shared by FileMaker Pro won’t authenticate against an authentication server.
Important  When a database file contains one or more External Server accounts, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. For more information, see the FileMaker Server documentation.
To create an account that authenticates via an external server:
1. Choose File menu > Manage > Security.
If the Manage Security dialog box displays the detailed security settings, click Use Basic Setup.
2. Click New Account.
3. For Authenticate via, choose External Server.
4. For Group Name, enter the name of a group that is defined on an external authentication server.
5. For Privilege Set, choose, create, or edit a privilege set.
See Creating and editing privilege sets.
The privilege set assigned to the account determines what the externally authenticated group members can do in the file.
6. To make the account active, select its checkbox.
To make an account inactive (for example, until you set up its privilege set), clear the checkbox.
7. If you’re finished, click OK.
Authenticating users with multiple accounts
It’s possible for a file with External Server accounts to contain multiple accounts that could authenticate a user. For example, a file could contain:
both a FileMaker-authenticated account and an External Server account with the same name
both an OAuth identity provider account and an External Server account with the same name
two or more External Server accounts that contain the same group member
When a user opens a file, FileMaker Pro opens the file using the first matching account in the authentication order. Any matching accounts that follow the first one are ignored. Therefore, it’s important to set the authentication order for accounts when one or more of the above situations exist. Otherwise, the wrong account may be used to access the file. See Creating and editing accounts.
The authentication order is only an issue under specific circumstances: you must be hosting files with FileMaker Server, using an external authentication server, and have accounts set up so that there are multiple accounts that could authenticate particular users. If you are only using FileMaker-authenticated accounts, authentication order is not a concern because each account must have a unique name.
Notes 
You’ll need to set additional options in FileMaker Server to authenticate users against an external server. See FileMaker Server Help.
If you work with shared database files that access ODBC data from Microsoft SQL Server, you can configure Windows single sign-on authentication. See Enabling ODBC data source single sign-on (Windows only).
Related topics 
Managing accounts
Creating and editing extended privileges
Creating and editing accounts
Managing saved find requests