External authentication settings > External authentication for database access
 

External authentication for database access

FileMaker Server authenticates users with FileMaker accounts defined within a FileMaker Pro Advanced database. In addition, FileMaker Server supports authentication with the following externally defined accounts and groups:

Windows or macOS accounts and groups locally defined on the master machine

Apple Open Directory and Windows Active Directory accounts and groups, which can be on a centrally-managed authentication server

OAuth identity providers including Login with Amazon, Google Identity Platform, and Microsoft; see Using an OAuth identity provider to authenticate FileMaker clients

If you're hosting FileMaker Pro Advanced database files with FileMaker Server, you can use your existing authentication server to control access to databases without having to manage an independent list of accounts in each FileMaker Pro Advanced database file.

On the Administration > External Authentication tab, if you enable External Server Accounts under Database Sign In, the client access privileges are determined by the accounts defined in the hosted databases and by accounts that are defined on the master machine or on an authentication server. Using FileMaker Pro Advanced, you specify in a database whether an account is authenticated via FileMaker or an external authentication server. These are Active Directory accounts (Windows), Open Directory accounts (macOS), or OAuth identity provider accounts.

Depending on the specific network configuration, an external authentication server on one platform can authenticate users on the other platform. In other words, a macOS user might be authenticated by Active Directory, or a Windows user might be authenticated by Open Directory in macOS Server.

If you enable External Server Accounts, records of all login attempts are logged in the Windows Security Log, if the master machine is a Windows machine. For information about the Security Log, see your Windows documentation.

Important  When a database file contains one or more external server accounts, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. Group names for accounts authenticated with the external server feature are stored as text strings. If the group name is reproduced on another system, the copied file can be accessed with the privilege set assigned to the members of the group, which might expose data inappropriately.

Notes 

For more information about creating accounts that authenticate via an external server see FileMaker Pro Advanced Help.

Go to the FileMaker Knowledge Base and search for articles containing the keywords external and authentication (and optionally cross-platform).