Managing user access doesn’t have to be complicated. By integrating Single Sign-On (SSO) with Microsoft Azure and Claris FileMaker, organizations can enhance security while simplifying the user login experience. This guide walks you through the full configuration process, helping you streamline authentication, reduce password fatigue, and gain better control over application access!

Step 1: Open FileMaker Admin Console

1. Open a new browser window and navigate to your FileMaker Server Admin Console.

2. From the top nav bar, click Administration.

3. On the left, click External Authentication.

4. Select Change next to Microsoft.

5. The fields revealed are what you will populate in the following steps. For now, take note of the redirect URI at the top: https://YourDomain/oauth/redirect

   • Replace “YourDomain” with the domain of the FileMaker Server. This is also the domain of the admin console. So, for the domain cloud.example.com, the redirect URI would be https://cloud.example.com/oauth/redirect.

Step 2: Create a New Registration

1. Sign in to the Azure portal you want to use to manage SSO.

2. Click Microsoft Entra ID.

3. From the left menu, click App registrations.

4. Create a New registration.

6. Enter a descriptive Name.

7. Back in Register an application in Azure, select Accounts in this organizational directory only (Default Directory only – Single tenant) under Supported account types.

8. Choose Web under Redirect URI and copy the redirect URI from the Admin Console.

9. Click Register.

Step 3: Modify Application Manifest

1. On the left, click Manifest

2. On Line 14, change “groupMembershipClaims”: null to “groupMembershipClaims”: “SecurityGroup”.

3. Click Save.

Step 4: Modify Authentication Settings

1. On the left, click Authentication.

2. Deselect Access tokens.

3. Select ID tokens.

4. Make sure that under Supported account types, Accounts in this organizational directory only (Default Directory only – Single tenant) is selected.

5. Set Allow public client flows to No.

Step 5: Populate Admin Cloud Azure Fields

1. On the left, click Overview.

2. Copy the Application (client) ID to the field Azure Application ID in the Admin Console.

3. Copy the Directory (tenant) ID into the Azure Directory ID field in the Admin Console.

4. On the left, click Certificates & Secrets.

5. Under Client secrets, click New client secret.

6. Enter a Description and select an expiration date. Keep in mind that if you do not set Expires to Never, you will have to update this field.

7. From this new secret, copy the Value to the field Azure Key in the Admin Console.

   • This will be the only time you can copy this value. If you don't save this value now, you will have to create another secret later.

8. Click Save Authentication Settings

9. Below this section, in Database Sign In, set Microsoft to Enabled.

Step 6: Set API Permissions

1. Back in Azure, click on API permissions on the left.

2. Click Add a permission

3. Click Microsoft Graph.

4. Click Delegated permissions.

5. Search for user.read and select the User.Read permission and click Add permissions.

   • Since user.read may already be populated, you can discard if Add permission remains greyed out.

6. Click Grant admin consent for.

Step 7: Create New Group

1. Click Microsoft Azure, then click Groups.

2. Click New group.

3. Click No owners selected and choose the owners of the group.

4. Click No members selected and add the users you want to use SSO.

5. For Group type, choose Security.

6. For the group name, give a descriptive name.

   • Since a group corresponds to a permission set, it is recommended to name the group based on the permissions its members will have.

7. For Group description, enter a description.

8. For Azure roles that can be assigned to the group, select No.

9. For Membership type, select Assigned.

10. Click Create.

Step 8: Add Group to FileMaker App

1. Click on the newly created group.

2. Copy the Object ID.

3. Open the FileMaker application you want to use SSO with.

4. In the upper menu bar, click File, then Manage, then Security.

5. Click Authenticate via and choose Microsoft Azure AD.

6. In the bottom left, click New.

7. On the right, select Group.

8. For Group Name, paste the Object ID.

9. Make sure Active is true.

10. For Privilege Set, select the desired privilege set. Ensure the chosen privilege set has the fmapp privilege option.

11. For Description, write a short description.

12. Click OK.

Conclusion

If you want to assign different privilege sets to different users, you will need to repeat steps 6 and 7. Each created group corresponds to a single FileMaker privilege set.

If you need further assistance setting up SSO with Microsoft Azure for FileMaker, please contact our team at DB Services, and we would be happy to help.