External authentication settings

To allow external accounts to access Admin Console or to sign in to hosted databases, click the Administration > External Authentication tab.

Note  Linux: To set up external authentication and configure AD FS, see "External authentication for Linux" in the Knowledge Base.

To

Do this

Allow members of an external authentication group to sign in to Admin Console

  1. Set up your authentication group.
    • For domain authentication, bind your server machine to the domain. See Active Directory or Open Directory documentation for more information.
    • Windows and macOS: For local authentication, create your local machine group. See your operating system documentation.
  2. For External Accounts for Admin Console Sign In, click Change.
  3. Enter the optional domain or local machine name followed by the external authentication group name. For example: groupname, domain\groupname, or groupname@localmachine. The external authentication group can be the fmsadmin group or another external authentication group.

    For domain authentication, you must bind your server machine to the domain. See Active Directory or Open Directory documentation for more information.

  4. You can limit the number of external authentication groups FileMaker Server searches when authenticating users by specifying the domain or local machine name. The following formats are valid:
    • Windows: domain\group, group@domain, or group
    • Windows local machine: localmachine\group, group@localmachine, or group
    • macOS Open Directory: Only the format group is accepted as valid
    • macOS local machine: Only the format group is accepted as valid

    If you do not specify a domain or local machine name, here is how FileMaker Server searches for the external authentication group on these platforms:

    • Windows: searches the domain, if the computer is a member of a domain, then searches the local machine
    • macOS: if the group name is defined on both the local machine and in Open Directory, then the local machine group takes precedence
  5. For Admin Console Sign In, set External Accounts to Enabled.

Allow members of an external authentication group to sign in to hosted databases

  1. Set up your authentication group.
    • For domain authentication, bind your server machine to the domain. See Active Directory or Open Directory documentation for more information.
    • For local authentication, create your local machine group. See your operating system documentation.
  2. Windows and macOS: For Database Sign In, set External Server Accounts to Enabled.

    FileMaker Server searches for the external authentication group on these platforms:

    • Windows: searches the domain, if the computer is a member of a domain, then searches the local machine
    • macOS: if the group name is defined on both the local machine and in Open Directory, then the local machine group takes precedence

See External authentication for database access.

Allow clients to use OAuth identity providers to sign in to hosted databases

See Using an OAuth identity provider to authenticate FileMaker clients.

Important  To prevent unauthorized users from mistakenly signing in to Admin Console as the server administrator, make sure the Admin Console user name and password do not match any user name and password in any of the external authentication groups associated with Admin Console. Use a unique user name and a strong password that is at least eight characters and a combination of letters and numbers. Note that the Admin Console user name is not case sensitive, but the password is.