Using an external identity provider to authenticate Claris ID accounts
Note The following information is for FileMaker Cloud and Claris Connect team managers.
Team managers can set up account authentication with an external identity provider (IdP), so that users can sign in with that provider account instead of Claris ID. For example, a user who has a Microsoft Active Directory (AD) or an Okta or Azure AD account can sign in to Claris Customer Console using the external IdP information.
First, configure the external IdP for use with FileMaker Cloud. Next, set up external IdP authentication in Claris Customer Console. Then, invite users to join the team and sign in using the external IdP information, and create an external IdP group.
Each team may be set up with only one external IdP at a time. However, once you’ve set up authentication in one team, you don’t have to repeat the process for another team that will use the same external IdP.
Configuring external IdPs
Before you begin, you must configure the external IdP for use with FileMaker Cloud. Also, you will need to obtain the issuer URI, client ID, and client secret from the provider, which you copy into the dialog boxes in the following steps. For details about the required settings and information, visit the Knowledge Base.
Setting up authentication with an external IdP
- On the Claris Customer Console Settings page, for External ID Provider, click Set up external IdP sign-in.
- Click Continue.
- Enter the issuer URI and client ID, then click Search.
- Enter the client secret and a unique provider name, then click Continue.
- If a provider was found, you see information about that provider. To allow authentication with that provider, click Continue.
- Click Done.
- Invite users to sign in to Claris Customer Console using the external IdP. See the steps below.
If you see an error message, verify that the information you entered is correct, then click Search.
Inviting users to join the team with an external IdP
- On the Users page, click Invite New User.
- To require users to sign in with the external IdP, select Require user to sign in using <external IdP> identity provider.
- Invited users receive an email with a link to join the team. When they click the link, they see a sign-in page for the external IdP.
To allow a user to also sign in with their Claris ID, send another invitation to the same email address, and don’t select this option.
Creating an external IdP group in Claris Customer Console
- Set up a group in the external IdP.
- On the Groups page, click Create a Group or Create New Group.
- Enter the name of the external IdP group, using the same spelling as for the external IdP, then click Create.
See the provider’s documentation or consult your information technology organization for how to do this.
On the Users page, you see the users in the group, but you can modify them only in the external IdP.
Turning off external IdP authentication
To turn off external IdP authentication for a team, you must remove all external IdP users from the team.
Note Turning off external IdP sign-in removes all external IdP account information and group access privileges. To allow it again later, you must re-create authentication using the steps above.
- On the Users page, click for the user, then choose Remove from Team.
- On the Settings page, click Turn off external IdP sign-in.
If the external IDP is no longer used by any team, the external IdP is deleted.
- Users who sign in with an external IdP cannot transfer to another team.
- After setup has been completed, only the unique provider name can be changed. To edit other information, delete the external IdP information and begin again.
- At least one team manager must have a Claris ID account.