1 2 Previous Next 19 Replies Latest reply on Sep 20, 2016 10:08 AM by wimdecorte

    Single sign on in FM server 14

    sudha

      Hi All,

       

      Could you please suggest how to implement single sign on functionality in FM server 14 for accessing the desktop and web version of the application hosted in the server?

       

      Thanks in advance.

        • 1. Re: Single sign on in FM server 14
          wimdecorte

          SSO for FMP only works in an all Windows environment:

          - FMP installed on Windows, with the desktop being part of a domain and the user logged into Windows with a domain account

          - FMS installed on Windows, server is a member server of the domain, FMS configured to allow external and FM accounts

          - FMP file configured with external accounts (groups).

           

          There is no SSO for the web or Mac clients.

          Mac clients can mimic the behaviour by storing the credentials in the keychain, but it is not true SSO as they will get prompted again when their pw changes.

          • 2. Re: Single sign on in FM server 14
            wimdecorte

            This one, while dated, is still relevant.  Nothing has changed in External Authentication since FM7/8:

             

            http://www.filemaker.com/downloads/pdf/techbrief_fm8_server_auth.pdf

            • 3. Re: Single sign on in FM server 14
              sudha

              Thanks Wim

              • 4. Re: Single sign on in FM server 14
                sudha

                Hi Wim,

                 

                Can you please tell me the advantages of Single Sign-On in Filemaker Pro?

                 

                Thank You.

                • 5. Re: Single sign on in FM server 14
                  wimdecorte

                  User convenience.

                   

                  The user can launch the FM solution without being prompted for credentials.

                  • 6. Re: Single sign on in FM server 14
                    sudha

                    Thanks Wim.

                    • 7. Re: Single sign on in FM server 14
                      Fred(CH)

                      And i would like to add that a kind of SSO concept is also applied in multiple files solutions :

                       

                      If you attempt to open File B after being successfully logged in File A, FileMaker Pro will try to use your actual credential to avoid prompting you another time.

                       

                      However, it only works if file B is a part of external data source in file A.

                       

                      Additionally, FileMaker Pro for OS X (desktop version only) also supports Apple Keychain, which is another occurrence of SSO concept.

                      • 8. Re: Single sign on in FM server 14
                        sudha

                        Thank You Fred. That helps !

                        • 9. Re: Single sign on in FM server 14
                          wimdecorte

                          Fred(CH) wrote:

                           

                           

                          Additionally, FileMaker Pro for OS X (desktop version only) also supports Apple Keychain, which is another occurrence of SSO concept.

                           

                          No it isn't.  It really truly is not.

                           

                          SSO does not work by storing your actual credentials like the keychain does.  SSO works by using a session token or ticket that has been issued after authentication.

                          The keychain retrieves your actual credentials and sends those to FM.

                          If you change your credentials the keychain will not work anymore until you type in your credentials and resave them to the keychain.

                           

                          Totally different concept.  The end result *looks* the same but they work in completely different ways.

                          1 of 1 people found this helpful
                          • 10. Re: Single sign on in FM server 14
                            Fred(CH)

                            wimdecorte a écrit:


                            The end result *looks* the same.

                            It was what i would mean by "occurence of the concept", but my words were obviously far from perfect.

                             

                            "Same main purpose" maybe or "what you want", that means, To Sign-in a single time.

                             

                            Thank you for you understanding.

                            • 11. Re: Single sign on in FM server 14
                              jdevans

                              What am I doing wrong? I have the file set up to external authentication, and a correct group name. And I went to the server admin console and allowed for External and Internal authentication.

                               

                              I can now open the file, but it still asks for Account name and password. How to get the "single sign on" part to work?

                              • 12. Re: Single sign on in FM server 14
                                wimdecorte

                                We need more details...

                                 

                                SSO only works in a full Windows environment:

                                - FMS on Windows, member server of an AD domain

                                - client workstations on Windows, members of the AD domain

                                - users logged into their workstation with an AD account

                                - the AD group that the users belong to is set up in the FM file

                                 

                                Remember that SSO is only a subset of EA.  EA works with AD / OD / local accounts on the FMS machine.  Is that part working for you and only the SSO not?

                                1 of 1 people found this helpful
                                • 13. Re: Single sign on in FM server 14
                                  jdevans

                                  Sorry, I'm rather a newb when it comes to some of this, but what is "EA?"

                                   

                                  As far as I know, this is an all windows environment. But I can get details from our system admin.

                                   

                                  What happens, after I've set things up as described, I open the file, it shows the user acct/pw dialog box, into which I type my credentials for the Active Directory (same credentials I use to log on to this windows machine). The file opens with the privilege set I attached to the externally authenticated group (in the file).

                                   

                                  However, when I close and reopen the file, it again asks for the same credentials. I was hoping to not be bothered by the acct/pw dialog.

                                   

                                  Do I need to leave the "Log In Using" radio button enabled in the File Options?

                                  • 14. Re: Single sign on in FM server 14
                                    wimdecorte

                                    EA = External Authentication.  That's the feature where FM can work with individual accounts that don't live in FM but in either an Active Directory, Open Directory or locally on the FMS machine's OS.

                                     

                                    SSO = Single Sign On, a variation of EA where the user is not prompted for credentials.

                                     

                                    EA does not automatically mean SSO, SSO only works in the very specific scenario that I mentioned.

                                     

                                    If your scenario qualifies for SSO but it does not happen then it could be many things.  It could be that one of the prerequisites is not actually met, or it could be that the clock between your workstation and the AD is off by too much.

                                     

                                    Give us some more details about your setup first.  Are you logged into your Windows workstation with an AD account?

                                    1 of 1 people found this helpful
                                    1 2 Previous Next