Single Sign On from an external portal

[The Mad Jammer]

Hi,

 

We are using FMP version 9 and want to do the following 

 

• Post a simple web form from FMP 9 for our users to enter data.
• Allow the user to log in through our current employee portal, click a link and access the FMP form.
• Restrict the user's access to records in the FMP database to only their location.
• FMP must use the portal login credentials to authenticate them against Active Directory (the SSO part).

 

Sounds simple enough but I haven't used FMP for several years (got into the management end of things). Publishing the form for web consumption is no problem. It's the SSO part that I certainly need help with. It would also be OK for the user to come in as a guest (without having to log in again) as long as the data they see is only for their location.

 

There are about 300 locations that would have access to the form so it's vitally important that the data be segmented for each location. I would prefer to create 1 database for all 300 locations rather than creating 300 versions of the same database.

 

If you can point out any posts that speak to these issues I would appreciate it.

 

Jammer

[Lee Smith]

I  moved your topic from "FileMaker Legacy Versions 7 – 9" to "Peer To Peer Sharing” since you are asking about sharing. I put it into Peer since you made no mention of FileMaker Pro Sever.

 

The General Topic “Legacy” are meant for discussion of the Tools, Function and Features that were introduced with that version of FileMaker Application.

Edited July 18, 2014 by Lee Smith
added some info

[Wim Decorte]

SSO is not possible in this scenario.

 

Segmenting the data based on the user is not a problem.

[The Mad Jammer]

Hi Wim,

 

Thanks for the response. Not understanding why "SSO" is not possible. Can I pass a parameter (the location number) from the portal link into the FMP?

 

Thanks

Jammer

[Wim Decorte]

True SSO happens at the authentication level and in the FM space that is only possible in the following scenario:

- FMS running on Windows (Window server part of an AD domain)

- FMS configured to allow External Authentication

- FM solution set up for External Authentication

- Windows workstation, member of the domain

- user logged into the workstation with an AD account

then when the user is part of an AD group that is also set up in the FM file, the user will be properly authenticated without having to provide credentials.

 

 

Anything else is not SSO but ways of doing hidden authentication and then figuring out how to identify the user.  Not SSO and potentially dangerous.

[The Mad Jammer]

OK, so I verified we're running FMS 9 on a Windows server and that server is part of the AD domain already.

All the user workstations are part of the domain (dadeschools is the domain name BTW).

 

We have set up AD account groups for the users (i.e. WCTC_nnnn). WCTC is the nickname of the AD group and nnnn is the location number. This is the standard we use in our shop for AD groups. It's based on RACF authority that is used to update our security groups every day.

 

So what I'm seeing is that we would need to create/define all the AD groups within the FMP application so that they map to the AD groups in Active Directory. Is that correct? Also, can we import AD group names from the AD to expedite the process? if so, how?

 

Thanks

Jammer

[Wim Decorte]

Yes, the External Accounts that you set up in FM need to match exactly the name of the AD group you want to match it to.

 

As to importing: no.