Editing external server account access
If you’re hosting FileMaker Pro files with FileMaker Server and your organization uses centrally managed authentication for users and groups, you can set up account access in FileMaker Pro that authenticates a group of users based on your authentication server. This allows you to use your existing authentication server to control access to files without having to manage an independent list of accounts in each file. The supported external authentication servers are:
- Apple Open Directory
- a Windows domain
- v19.1.2: a Windows domain that authenticates through Microsoft Active Directory Federation Services (AD FS) (FileMaker Server for Linux only)
When users in a group try to open a hosted file, FileMaker clients prompt the user to sign in with an account name and password; for AD FS, users sign in via a web browser. These account credentials are sent to the external authentication server, which authenticates the user and returns to FileMaker Server a list of all the groups the user belongs to. FileMaker Server compares the group name of each external server account access entry in the file with this list of group names. The first valid match determines which account access entry is used and therefore which privilege set is assigned to the user.
Note Although you can set up account access for external authentication servers in FileMaker Pro, only files hosted by FileMaker Server can authenticate users via an authentication server. Files shared by any other FileMaker host can’t authenticate via an authentication server.
Important When a database file contains external server account access entries, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. For more information on external authentication, see FileMaker Server Help.
To create or edit external server account access:
- Start editing new or existing account access for an external server group in the Manage Security dialog box.
- For Authenticate via, choose FileMaker File or External Server.
- To grant account access to a group, click New. To change an existing group’s account access, select the group.
- In the details pane, for Authenticate via, choose External Server.
For Group Name, enter or change the name of a group that is defined on an external authentication server.
All users in this group will have access to this file.
- For Privilege Set, choose, create, or edit a privilege set.
The privilege set assigned to this account access determines what the externally authenticated users in the group can do in the file.
- To make the account active, select its checkbox.
Make account access inactive, for example, to set up privilege sets before allowing users to sign in.
- If you also grant access to other groups or to FileMaker file accounts, you may need to change the priority of account access.
- You’ll need to set additional options in FileMaker Server to authenticate users against an external server. See FileMaker Server Help.
- If you work with database files hosted by FileMaker Pro or FileMaker Server that access ODBC data from Microsoft SQL Server, you can configure the host computer to enable single sign-on (SSO). See the Knowledge Base.