Advanced tasks > Using an external identity provider to authenticate FileMaker ID accounts

Using an external identity provider to authenticate FileMaker ID accounts

Note  The following information is for team managers.

Team managers can set up account authentication with an external identity provider (IdP), so that users can sign in with that provider account instead of FileMaker ID. For example, a user who has a Microsoft Active Directory (AD) or an Okta account can sign in to FileMaker Customer Console using the external IdP information.

First, set up external IdP authentication in FileMaker Customer Console. Next, invite users to join the team and to sign in using the external IdP information. Then, create an external IdP group.

Each team may be set up with only one external IdP at a time. However, once you’ve set up authentication in one team, you don’t have to repeat the process for another team that will use the same external IdP.

Setting up authentication with an external IdP

Before you begin, you must configure the external IdP for use with FileMaker Cloud. Also, you will need to obtain the issuer URI, client ID, and client secret from the provider, which you copy into the dialog boxes in the following steps. For details about the required settings and information, visit the Knowledge Base.

1. On the Settings page, for External ID Provider, click Set up external IdP sign-in.

2. Click Continue.

3. Enter the issuer URI and client ID, then click Search.

If you see an error message, verify that the information you entered is correct, then click Search.

4. Enter the client secret and a unique provider name, then click Finish.

5. If a provider was found, you see information about that provider. To allow authentication with that provider, click Continue.

6. Click Done.

7. Invite users to sign in to FileMaker Customer Console using the external IdP. See the steps below.

Inviting users to join the team with an external IdP

1. On the Users page, click Invite New User.

See Inviting users to a team.

2. To require users to sign in with the external IdP, select Require user to sign in using <external IdP> identity provider.

To allow a user to also sign in with their FileMaker ID, send another invitation to the same email address, and don’t select this option.

3. Invited users receive an email with a link to join the team. When they click the link, they see a sign-in page for the external IdP.

Creating an external IdP group to FileMaker Customer Console

1. Set up a group in the external IdP.

See the provider’s documentation or consult your information technology organization for how to do this.

2. On the Groups page, click Create a Group or Create New Group.

See Creating or changing a group (FileMaker Cloud).

3. Enter the name of the external IdP group, using the same spelling as for the external IdP, then click Create.

On the Users page, you see the users in the group, but you can modify them only in the external IdP.

Turning off external IdP authentication

To turn off external IdP authentication for a team, you must remove all external IdP users from the team.

Note  Turning off external IdP sign-in removes all external IdP account information and group access privileges. To allow it again later, you must re-create authentication using the steps above.

1. On the Users page, click Options menu for the user, then choose Remove from Team.

2. On the Settings page, click Turn off external IdP sign-in.

If the external IDP is no longer used by any team, the external IdP is deleted.


Users who sign in with an external IdP cannot transfer to another team.

After setup has been completed, only the unique provider name can be changed. To edit other information, delete the external IdP information and begin again.

At least one team manager must have a FileMaker ID account.

Related topics 

Deactivating or reactivating accounts