Skip to content Accesskey=4Skip to sub-navigation Accesskey=3View our Accessibility Options MIT Information Services and Technology Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help

Guidelines and Procedures

ITAG standards
tools

FileMaker

Resources

DCAD

Architecture

Database Operations

Usability Team

ATIC Lab

Training and Help

Training

User Groups


Search the Developer's Resource:


FileMaker - Authentication

ITAG Standard #3: For security reasons, Client/Server and Web based applications must determine if a user is who they claim to be either by using an authenticated Kerberos ID or by using X.509 certificates issued by the MIT certificate server (Certifying Authority).

IS&T has not yet explored the possibility of integrating FileMaker and Kerberos for client/server solutions. For web-based applications, it may be possible to integrate MIT certificates with FileMaker through php. This has not yet been explored, and therefore there are no guidelines as of yet.

Until Kerberos or certificates become available, FileMaker developers are constrained to using the existing user account methods available to them. FileMaker versions 7 and later do allow for at least an approximation of single sign on; that is through integration with the host server's own authorization and authentication: Active Directory for Windows or Open Directory for Mac OS X.

External Authentication

Enabling external authentication is accomplished both through the FileMaker Server admin tool, and in the individual database files. The FileMaker Server setting lives in the Security tab (under the Configure icon in OS X). You select "FileMaker and External Server accounts." Doing so allows you to tie into user accounts and groups either on the host machine itself or on a networked domain controller.

You must have corresponding accounts set up in your FileMaker database file. These accounts represent user roles, not individual users. Define the account and assign the authentication method to "External Server" and indicate the appropriate Group to which that user account belongs. The name of this Group with its associated privilege set should match the appropriate group defined on your host OS or domain controller. You must have the extended privilege [fmapp] enabled in the associated privilege set for single sign on to work. If you use external authentication, you must have at least one FileMaker account that is separate from the external authentication system. It is recommended that any admin-level accounts not be included in externally authenticated accounts.

Regardless of whether or not you opt for external authentication, you also have the additional security option of only displaying to each user those database files to which that user account is allowed access. This gives the added bonus of hiding files from users who have no need to know. If you have not enabled external authentication, the user will be prompted twice for authentication: once to see the appropriate list of files and again to open the desired file.

Protecting access to your FileMaker Server configurations

Finally, there is an additional level of authentication available for managing the hosting settings for FileMaker server through the Server Administration Tool. You enable this in the Administration tab (under the Configure icon in OSX). The two options are either to set a password to use the Server Admin Tool or require that the FileMaker Server administrator be a member of the fmsadmin group. The fmsadmin group was created on your server when you first installed FileMaker Server and has read/write privileges for the entire FileMaker Server subdirectory.

Gotchas

To approximate single sign-on on OS X, the user's credential must be stored in the keychain. Any user account changes in the FileMaker database file must be correspondingly updated in the keychain manager. Also, be sure that the Group name you identify in your FileMaker accounts matches the Macintosh OS "short" name.

If you have granted the access privilege to a privilege set (FileMaker parlance for a particular set of authorizations or role) that allows users to change their own passwords, this will break the effect of external authentication, not to mention single sign on. The user will have to log into the server, and change the OS account password before being able to access the database. Mac clients will have to update the appropriate keychains.

More information on External Authentication, including screenshots, can be found in this presentation. An in-depth guide to implementing External Authentication can be found in the downloads area of the FileMaker web site.

MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Ask a technology question or send a comment about this web page.