I've been looking for a solution for a situation for a while and had some pointers from generous people but as yet these have not panned out as far as the investigating we have done, so I thought I'd open it up to a wider audience. Let's set the stage:
There is an Azure hosting environment which is made up of the following:
FM Database server - let's call it FMDB
FM WebDirect server (two server deployment of course) - let's call it FMWD
Domain controller server - let's call it DC
This of course all sits on the same virtual network.
Let's call the company that owns the Azure environment and FM database "Solution Owner". Solution Owner wishes to authenticate using Active Directory (let's shorten this to AD ongoing). So, we turn on AD on DC and set it up with groups, turn on External Authentication in FMS Admin Console, set up groups in Security in the file, and all is good right? Yes, FMS looks out to its local network, finds the directory server etc etc.
But now, Solution Owner would like company ABC to access the database and ABC also wishes to use their On-Premise AD to authenticate. Mmm... How do we do this? Solution Owner effectively has an On-Premise AD, ABC has On-Premise AD - can Solution Owner pull in groups from ABC into its AD so when FM goes out to authenticate it sees the groups from ABC? Possibly with federating?
Assuming that gets figured out, Solution Owner now needs company XYZ to have access to the database. XYZ would like to use AD to authenticate. But XYZ use Azure Active Directory (let's call that AAD) in their company. So, now we have Solution Owner with On-Premise AD, XYZ with AAD and now we need to 'sync' AAD groups from XYZ into Solution Owner's AD. This may be something to do with Azure AD Connect product.
So now, Solution Owner sees that XYZ uses AAD and thinks that's awesome, let's use that. Can FM authenticate against Azure AD, within the same Azure environment as FMDB of course. I'm not sure it can. I think it needs to have a 'traditional' (even if virtual) server on the same network running AD to authenticate against. And now that they are using AAD, can we 'sync' with ABC's On-Premise AD and XYZ's AAD?
So, the issues we're trying to address are:
Can FM authenticate against AAD for Solution Owner access via any means (sync to trad AD, directly authenticate against AAD, third party software solution)?
If we have other companies that access the file wishing to use AD or AAD, what options might be open to us here?
We have looked at AD Connect but this didn't seem to pan out - I believe that AAD has a limited number of 'sync' type connections that can be incorporated. I'd like to be proven wrong that this product is unable to do what we need.
We've looked into federating - I think this is a much more involved connection between two companies and again I believe we encountered barriers to achieving our goal when investigating this route. I can provide more details as needed.
We've considered the possibility of building a web app that sits in front of FM that users authenticate against and then get sent to FM (this is more when using WebDirect), but this is a major undertaking, has a whole bunch of issues that need working through and in reality is probably not an option at all.
I feel like we're up against FM's inability to recognize AAD, and we're up against the current limitations of AD/AAD in 'syncing' with other AADs or On-Premise ADs. But, I may be entirely wrong...
If anyone has done (or knows of someone that has done) multiple AD integrations, I'd be very interested in talking with you.
If anyone has any pointers/ideas on what might be possible, what's not possible etc, your input would be greatly appreciated.
If anyone has ideas on third party software that may achieve our goals, I'd be very interested in that.
And I'm open to all other ideas! Many thanks for taking the time.