FileMaker MFA with local Active Directory

Discussion created by innodat on Oct 12, 2018
Latest reply on Oct 15, 2018 by innodat

Could someone briefly outline, how such services would be integrated into an Active Directory and FileMaker Server? What communicates with what? And how?


I spent quite some time googling this, but can't seem to find specifics. What I do understand, is that the MFA application communicates with the AD. But how does FileMaker know when the user is authorized by the MFA?


1. User opens database on device

2. User sees FM native login-prompt

3. User enters name and password (account from AD, FMS configured accordingly)

4. ....

5. ....


Many, many thanks in advanced for shedding some light on the overall concept!


I'm interested in a regular AD on a local server, not Microsoft's Azure. There's no Azure server in Switzerland at this time and the client mandates that no data leaves the country. Period. So we can't use Azure or any of the other OAuth providers supported natively by FileMaker. However, there are some MFA providers in Switzerland. I figure, if I understand the concept of one of them (how it works with AD/FileMaker), I can transfer that knowledge to others.


The breakdown in my understanding is this chart here: How AD Connect works

Screen Shot 2018-10-12 at 15.47.48.png

It shows that the "Service Provider App" (in our case FileMaker) communicates with PingOne, which in turn verifies the user with the AD. FileMaker seems to work in reverse in relation to the AD: it goes straight to the AD to verify the user. I don't see how the user could be sent from the AD to PingOne and back to FM...


How can I make the login and verification detour through PingOne?


Would I have to run a website for the login, just like Azure/Amazon/Google is providing with OAuth?