If you’re hosting FileMaker Pro Advanced files with FileMaker Server and your organization uses centrally managed authentication for users and groups, such as Apple Open Directory or a Windows domain, you can set up accounts that authenticate users based on your authentication server. This allows you to use your existing authentication server to control access to databases without having to manage an independent list of accounts in each FileMaker Pro Advanced database file.
Note Although you can set up accounts for external authentication servers in FileMaker Pro Advanced, only database files hosted by FileMaker Server can authenticate users against an authentication server. Database files shared by FileMaker Pro Advanced won’t authenticate against an authentication server.
Important When a database file contains one or more External Server accounts, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. For more information, see the FileMaker Server documentation.
1. Choose File menu > Manage > Security.
If the Manage Security dialog box displays the detailed security settings, click Use Basic Setup.
2. Click New Account.
3. For Authenticate via, choose External Server.
4. For Group Name, enter the name of a group that is defined on an external authentication server.
5. For Privilege Set, choose, create, or edit a privilege set.
See Creating and editing privilege sets.
The privilege set assigned to the account determines what the externally authenticated group members can do in the file.
6. To make the account active, select its checkbox.
To make an account inactive (for example, until you set up its privilege set), clear the checkbox.
It’s possible for a file with External Server accounts to contain multiple accounts that could authenticate a user. For example, a file could contain:
•both a FileMaker authenticated account and an External Server account with the same name
•both an OAuth identity provider account and an External Server account with the same name
•two or more External Server accounts that contain the same group member
When a user opens a file, FileMaker Pro Advanced opens the file using the first matching account in the authentication order. Any matching accounts that follow the first one are ignored. Therefore, it’s important to set the authentication order for accounts when one or more of the above situations exist. Otherwise, the wrong account may be used to access the file. See Creating and editing accounts.
The authentication order is only an issue under specific circumstances: you must be hosting files with FileMaker Server, using an external authentication server, and have accounts set up so that there are multiple accounts that could authenticate particular users. If you are only using FileMaker authenticated accounts, authentication order is not a concern because each account must have a unique name.
•You’ll need to set additional options in FileMaker Server to authenticate users against an external server. See FileMaker Server Help.
•If you work with shared database files that access ODBC data from Microsoft SQL Server, you can configure Windows single sign-on authentication. See Enabling ODBC data source single sign-on (Windows only).