Simplify Your Logins: Set up Microsoft Entra ID for FileMaker Server

Tired of managing separate usernames and passwords for each file in your FileMaker system? Want to leverage your existing Azure Active Directory credentials for seamless access? Setting up Single Sign-On (SSO) with Azure for your FileMaker Server can provide a smooth, secure login experience.

Although you’ll need to work through a few awkward setup steps, your users will thank you. 

Here’s the process, step-by-step, covering both the Microsoft Entra ID side and your FileMaker Server Admin Console.

Ready? Let’s dive in!

To get started, you’ll need access to a Microsoft account with permissions to manage Microsoft Entra ID and administrative access to your FileMaker Server Admin Console.

Step 1: Setting up Your “App Registration” in Microsoft Entra ID

First, go into the Microsoft Entra ID portal to create an App Registration that represents your FileMaker Server.

1. Navigate to Microsoft Entra ID.
2. Create a new App Registration.
3. Give your app registration a Name. Something descriptive to represent that this is for your FileMaker Server.
4. Click Register to create your app registration.

Configure the Redirect URL

• Enter your Redirect URI. This is your FileMaker Server’s base URL with /oauth/redirect appended.
  • For example, if your FileMaker Server is accessed at https://MyDomain.com/, your Redirect URI will be: https://MyDomain.com/oauth/redirect
• Select Web as the platform for your redirect URI.

Once you complete app registration, you’ll be directed to an overview page. This page contains key identifiers for your application.

• There you’ll find the Application (client) ID and the Directory (tenant) ID you’ll need to reference for the FileMaker Server Admin Console.

Step 2: Gathering Essential Azure Information

Create and Secure Your Client Secret

You also need a secret key that FileMaker Server will use to authenticate itself with Microsoft Entra ID.

1. In the top right corner of the app registration overview, click Client credentials.
2. Click New client secret.
3. Add a Description for your secret (e.g., “FileMaker Server Key”).
4. Choose an expiration date. Important Note: These secrets expire, and they cannot be extended beyond 2 years. You’ll need to remember to create a new one and update FileMaker Server before the current one expires.
5. Click Add.
6. CRITICAL: Immediately after adding the secret, its value will be displayed once under the “Value” column. Copy this value right away! If you leave this page, you will not be able to return to it, and you will need to create a new one. Paste this value into a secure temporary location, or make sure you do not leave this page before recording it in the FileMaker Server admin console.

You should now have the Application (client) ID, the Directory (tenant) ID, and the Client Secret value.

Step 3: Configuring FileMaker Server Admin Console

With the necessary information from Azure, it’s time to configure FileMaker Server.

1. Log in to your FileMaker Server Admin Console.
2. Navigate to Administration > External Authentication.
3. Under the “Microsoft” section, click Change to start configuration.
4. Paste the Application (client) ID into Azure Application ID.
5. Paste the Directory (tenant) ID into Azure Directory ID.
6. Paste the Client Secret (Value) into Azure Key.
7. Click Save authentication settings.

Fantastic. Your FileMaker Server should now be connected to Microsoft Entra ID.

Step 4: Tweaking the Manifest for Group Claims

For FileMaker Server to understand which Azure AD Security Groups a user belongs to, you need to make a small configuration change in the app registration’s manifest.

1. Back in the Azure portal, navigate to your app registration overview.
2. In the left-hand menu, click on Manifest (located near the bottom of the list).
3. Find the line with the key “groupMembershipClaims” (should be line 10).
4. Change the value for “groupMembershipClaims” from null (or its current value) to “SecurityGroup”.
5. Click Save.

Step 5: Creating a Security Group in Microsoft Entra ID

To control access to your FileMaker solution, you’ll use Azure AD Security Groups.

1. Navigate back to Microsoft Entra ID.
2. Click on Groups.
3. Click All groups, then New group.
4. Select Security as the Group type. This aligns with the Manifest change we made.
5. Give your group a Group name and optionally a Description.
6. Under Members, you can add the users who should have access to your FileMaker solution.
7. Click Create.

Step 6: Adding Users to Your Tenant (If Needed)

If the users who need access aren’t already part of your Microsoft Entra ID tenant, you’ll need to add them. Inviting them is a standard method for external users.

1. Navigate back to Microsoft Entra ID.
2. Click on Users.
3. Click New user.
4. Steps will vary here depending on whether this user is already a part of your organization or an external user.
5. Once the user is added to the group they will have access to your FileMaker solution.

Step 7: Configuring Security in Your FileMaker Solution File

The final step is to configure your specific FileMaker solution file to recognize the Azure Group and assign the appropriate privilege set.

1. Open the FileMaker solution using FileMaker Pro with full access.
2. Go to File > Manage > Security
3. Switch to Authenticate via: Microsoft Azure AD.
4. Click New.
5. Under “Account Type”, select Group.
6. In the User Name field, you need the Object ID of the Azure Security Group you created in Step 5.
   • To find the Object ID: Go back to the Azure portal, navigate to Microsoft Entra ID > Groups > All groups. Click on the group you created, and copy the Object ID displayed on its overview page.
   • Paste this Object ID into the User Name field in FileMaker Security.
7. Select the Privilege Set for users in this group.
   • Crucial Requirement: The selected privilege set must have the Access via FileMaker Network (fmapp) extended privilege enabled.
8. Click OK to save the security settings.

You Made It!

Congratulation! You’ve successfully configured Azure Single Sign-On for your FileMaker Server and a specific solution file. Users who are part of the designated Security Group in Azure AD should now be able to seamlessly open the FileMaker solution and authenticate using their Microsoft credentials.

Remember to test the login process. If you run into issues, double-check each configuration step, especially the redirect URL, client secret value, Manifest change, and the Group Object ID entered in FileMaker Security.

Enjoy the streamlined login experience.

Learn more about the best place to host your FileMaker Server with Ottomatic, our award-winning, SOC II certified application platform, expertly crafted to connect your FileMaker creations to the world and help them soar.