External Authentication Options: EA, SSO, AD, OD, OAuth, LDAP (Advanced 002)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] my name is wim the quartz I'm a senior Technical Architect at salon consulting and it's very happy to see so many of you here very happy that this is the biggest DEFCON ever very exciting after all these years all right so Who am I and it appears I am the human incarnation of caffeine I don't know how that happens but it has a very good side benefit I realize smell really good in the morning I started going to DEFCON in the last century that's how old I am and I've spoken at about roughly half of these developer conferences and I work at salon consulting we have a great team as you may have seen from the number of speakers that we have here at the conference this year so yeah very honored to be working with them and all the good stuff that they do alright so alphabet-soup external authentication alphabet soup will cover all of these things EAD OD and what they mean what they stand for and especially what is new on the Roth side so let's jump right in right so the first of those acronyms was EA stands for external authentication so we'll will cover what has changed right so what has what is FileMaker 16 bringing to us in this realm oops well the just to make sure that we're all on the same page right when we say authentication we mean how do you prove that you are who you are right that is can you prove your identity before you get into the solution and in FileMaker terms we're talking about that first tab when you open manage security rights it's all about the accounts rights the accounts is where you set up credentials a username and a password and that's how you prove that you are who you are right that's your identity what we are not going to talk about is authorization right once you are in the solution you have a set of Rights a set of privileges and that's defined in the privileged set that's the second tab over in managed security right we're not going to talk about that right so we're not gonna talk about can I go to this layout can I can I view the data in that record we are going to talk strictly about the the authentication right the who are you that's the piece that we are going to cover so authentication if it's external what it really means is that it is it is not found maker that does the authentication right it's something else and we will talk about what these other things are when FileMaker seven was released back in 2004 we were giving three external authentication providers the Windows Active Directory the Apple open directory and the little broader were very often overlooked is the fact that you can use local accounts and local groups on the FileMaker server machine itself right so if the machine is not tied to an Active Directory domain or an open directory domain you can still use external authentication using the accounts and groups in the operating system of the machine that has found maker server right so we've had these since FileMaker seven so how do you how do you start using them in the session materials that I had uploaded a while ago there's an white paper called server external authentication that I co-wrote with my good friend Steven Blackwell who's in the audience as well we wrote that back in 2004 it has been updated a few times over the years it's still very relevant all of the screenshots are dated absolutely right so when we talk and when we show Active Directory it doesn't look that way anymore but all of the concepts all of the how do I set it up and why do I set it up and what are the gotchas when I get there those are still very relevant in that document right so I'm not going to cover setting all of that up I'm not going to show you how to set up an Active Directory any of that that's all described in a lot of detail in that white paper in essence it comes down to this and this has been the same since FileMaker server seven all the way up to this version I'm showing FileMaker server for Dean here if you go to database server you go to the security tab there's a total there's a drop down there if you switch that drop down so that it says FileMaker and external server accounts that's pretty much all you have to do in FileMaker server in the admin console to enable external authentication using those three traditional providers Active Directory ad open directory OD and local accounts and groups right so that's all it takes on the FileMaker server side over in your pharmacal solution you'll have to create accounts that that are matched to to something that exists in that identity provider a DoD that kind of thing right so when you set up an account in FileMaker you switch it over to external server and as you can see when you do that that entry field right below it's switches to a group name right so you have to provide a group name that exists in active active directory open directory or on the operating system of the FileMaker server machine and then you attach it to you give it a privileged set that will dictate what user can do once they are in write so that's what you do on the FileMaker Pro side on the family service side all you do is toggle this switch now there's a little more configuration that needs to happen on the operating system side of things right so in order to use external authentication with Active Directory or open directory the machine itself the operating system of the machine has to be tied to that active directory or the open directory all of that is described in that white paper right so why would you use it there's many reasons and all of them again are described in that white paper but the big ones are account management right it means that you don't have to do individual account management's in your FileMaker solutions if you have a group and you set up the group inside your FileMaker solution that means you can keep adding and removing people to those groups completely outside of FileMaker right so you don't have to go into your FileMaker solution to give somebody access or remove somebody's access and obviously that is of tremendous benefits if you have an existing identity management structure right if the organization already uses Active Directory or open directory then you can just leverage that and use it for your far maker solutions the other big benefit that you have is that you get instant access to a lot of authentication features that you don't have natively in FileMaker right so you can take advantage of password complexity rules password expiry rules geographical location right they can limits who can log in from what location you can limits who gets to access during certain days of the week certain certain times of the day so all of that is already built into those identity management solutions and that you can now just leverage in your farm exclusion things like multi-factor authentication right so all of these active directory open directory and the other Roth ones that we'll talk about in a minute they offer that natively and it means that it's now available to you to use for your FileMaker solutions there is one setting on FileMaker server directory service that talks about directory service right an active directory and open directory are called directory services right because they keep a directory of users and groups that is not the feature that you need to to enable external authentication in in FileMaker that feature basically goes hand-in-hand with a feature on the on the FileMaker Pro side right there where you can configure how users find your FileMaker server right set that feature what all it does it shows people where your FileMaker server is it does nothing for authentication right so if you ever go there and try to enable this or fiddle with this and in the hopes of enabling authentication I will haunt you in your sleep all right so these are the three traditional ones that we've had since since so far maker 7 so we've had them for a really long time in FileMaker 16 we now have three new ooofff providers so we have three additional identity management's providers that we can we can use to prove who you are and give access - you're found maker solutions right so Mac Microsoft Azure Amazon and Google accounts can be used in your file maker solutions evolve as the standards and it has a very intricate dance between the user that wants to authenticate and then the authentication provider you don't need to go and - don't need to know all of this and we will not go into a lot of detail here it's probably not a bad idea if you get somewhat familiar with how it works and and and why it's there in the first place but we won't go into a lot of detail in this session the end result is something like this right if you configure a FileMaker server which we will do in this session if you can configure a FileMaker server to take advantage of these providers your login dialog will look something like this right so you wouldn't necessarily have all three of them I have enabled all three of them in this one it could be one could be multiple but the users can instantly have they can type in their file maker account and password in the top section or they can click a button one of these three buttons which will then take them to a web page of that provider where they can type in their credentials and that will basically complete a round trip all the way back into FileMaker and they will get into the solution alright so inside your solution this is what what one of those web pages would look like where the user types in their credentials in your solution you can then pick up using those get functions that we've had to see okay who is that user there's a new get function in FileMaker 16 get account group name that is very handy so that you can see what group they belong to if the identity provider active directory of no rectory D the OAuth ones not all of them support group based authentication we'll get into that in a sec but if they do you can see what group they belong to right so if if you use active directory and somebody belongs to a group they log into your solution the name of that group will be visible through that new gate function get a count group name the next and the biggest part of this session will be me stepping you through how you can figure your FileMaker server the authentic the the OAuth provider as your google amazon and how you configure your family a solution to take advantage of that so so that's what we will cover in the remainder of the session I you don't need to remember all the steps or memorize all the steps that we will take right there's a 50 page documents in the session materials that has very detailed step-by-step with lots of screenshots basically how to on how to configure it right so you don't need to scribble a lot of notes on how I do it everything is outlined in that I will also show a lot of videos on how to do it I will make the videos available to you after the session as well alright so from here on it's old demo and to set the stage a little bit we basically have our file maker service 16 right it host host that file the DEF CON 2017 file that is the one that we will configure to use if we go ahead and open that in FileMaker 16 you will see that at this points the login dialog is still the same as we always had right so we don't see those extra buttons and the accounts that exist in that file or just the standard family accounts right so there's nothing fancy going on in that file as we have it's at this point right so that is what we will be using for this session and for that's the file that we will configure right so there's three of them right so three new providers Microsoft is your Google and Amazon we will start with Microsoft Azure for a particular reason because it's the most intricate one to set up I won't say difficult because one of the things I want you to take away from this session is that setting this up is surprisingly easy right there's if you're not familiar with a lot of these concepts and terminologies it can be a little daunting but it is very easy to set it up and it is very powerful once you have it set up the Microsoft is your one is the most complex one that's why we will start with that because it'll cover all the concepts that we need to cover then once we get to Google and Amazon it'll be that simple the demo basically will cover this or will broken down in the same parts for all three of them right the first part will be what do we need to do on the FileMaker server side and what do we need to do on the Microsoft Azure side on the providers side right and then we will turn around and see what we need to do in your FileMaker solution to basically tie it all together right so we'll start with Microsoft's offering and we will go over what we need to do FileMaker server first all right so that's our FileMaker server we have the file we will go to the security tab and one of the things that we need to make sure that we have as sort of like a prerequisite is since the provider the identity provider is not on your network right it's it's out there it's it's on the internets so when the user tries to log in they will be taken to a web page that belongs to that identity provider right so Google's page Amazon's page Microsoft Azure page when they say yep I know this user that the set of credentials that you provided is good I recognize this user they will need to talk back to FileMaker server right and there's a configuration setting that we will cover that does that right that says yep toe back to me at this address that means that your FileMaker server needs to be reachable right from the internet that means that and it has to be secure it also only works over HTTPS that means that you need to enable FileMaker server to use a custom SSL certificate this does not work with the standard default SSL certificate so you have to have a custom one so that's the first of the prerequisites the other one is that the path all the way down to your family server has to be reachable right so you have to have the necessary ports available well it's not a fancy port it's port 443 that the default HTTP port but it has to be routable from that identity provider down to your family make a server right so your firewall your router dns name so all of that has to be in place so when you tell the Microsoft is your here's my server that as you can actually find your server all right so that's why I'm showing you that we have a custom SSL Certificates on that on that server then we basically toggle this one on right so that's our toggle to enable external authentication and at this point even if we don't enable one of these other three we have already enabled it so that it works with Active Directory and and open the back to any other ones all right where we are now is we are basically in a Microsoft Azure in the portal see if I can pause this a sec right so we are portal sure calm so this order assumes that you have an account with Microsoft Azure already right so that's as a developer account so once you have it you go to this thing here that's the symbol form for the azure active directory the first thing that we will need there is we have to set up an application rights the application really doesn't do much of anything but it's a place to store configuration settings on the user side right so we'll just create an application will call it Def Con 2017 there's only two options there we'll leave it at Web API now this one you can tell by the red asterisks it's a mandatory fields so we have to provide or your ear well they're what we type there isn't really that importance not for the purpose of setting up the demo and making authentication work right for legal reasons and other reasons you may want to provide a URL where users can read up on privacy rules and consent things that you have but for the for the purpose of authentication this one is not relevant that's why I call it not important comm right so this is not the URL that's microsoft azure will use to talk back to your family a server that'll come later alright so we'll just go ahead and create that and there we have our application on the other side the there's a couple things that we will need and the first one is we will put in the address right the dress that I talked about that Microsoft Azure will use to talk back to your farm acre server you can find a format there when you go to your file maker server right so I just copied it over I'll put it in there and I'll substitute those placeholders with the fully qualified DNS name of my FileMaker server and if I if I were to use an on default ports I would include a port as well but this is just a DNS name of my server accessible from the outside no question is can will it work with IP addresses the answer is no right because you cannot have and and SSL certificate issued to an IP address so it has to be a fully qualified domain name the second part that we will do is every application has an application ID all right so we will copy that over we'll go back to our FileMaker server and we'll put it there where it says as your client ID right so that's the application ID of your application on the user side the next thing is we will generate a key that's another element that we'll need there to configure FileMaker server you you may have noticed when you pick a key there's an option there to have its validity for one year two years never expires I just chose never expires for demo purposes of to you you want to give some thought to that right it's this is one of those convenience versus security if the key expires you'll have to come in and renew this set it up here and then take the new key and put it in your family server configuration which is the most secure thing to do right if you set it to never expire and you get ski gets compromised that would obviously not be a good thing for for your overall security right so I copy the key go back to my FileMaker server and put it in there right now we need one more thing we need to is your tenant ID as the last bit of information that I need to configure my FileMaker server alright and that one is not tied to your application this one is actually tied to your as your ad itself right so if I go there and I go to properties the directory ID that's the one we need to put in there and use the as your tenant ID and that completes our configuration on the FileMaker server sign right so so you don't need to worry or fret about remembering what what I did everything is documented in the in that white paper they had a question yep so the question is and I was trying to gloss over that conveniently mnsure is the only one like that so the question was things are called one-way on the other side they're called a different way and the FileMaker server side it's unfortunate you will not see that on the Google side or the Amazon side I don't know why is the simple answer once you've seen this in action you know where to put things but there's really no rhyme or reason why they're called what they're called so it is what it is yeah I don't know whether if it's like a knowledgebase article or anything like that but it's certainly in my white paper so you have all the screenshots of what it is all right so so once we've done that once we've put in those configuration settings in FileMaker server you will have to restart your FileMaker server so that may be something that you'll have to keep in mind as you go through this purely from from a timing point of view I guess so that you don't do this when users are actively working in your solution all right so I will go ahead and and we start a FileMaker server all right we don't need to wait for that diem so that was the first part right so I've showed you how to set it up on the is your side with that application that you have on Azure and how you can take back those pieces of information and put them on the FileMaker server side the next piece is going to be what do we do now over in our application side right in our flour make a solution so obviously we'll have to create accounts right so we'll have to set up accounts in FileMaker server you'll see that we already have our Microsoft button right there if I were to click it nothing would happen right because I don't have accounts in my solution yet at this point but the login dialogue has already picked up on the fact that my family server is configured now to enable the Amazon sorry Microsoft is your one right so we created an account and we pick Microsoft Azure we have two options here group and user rights of those three new providers only as your offers those two options Amazon and Google only do it on individual basis so for now I'll pick user I'll put in an account and I will welcome it that so when we reopen our solution I'll close it and go back in I will now click that Microsoft that and see what what happens all right so we are now taking to the Microsoft Azure web page to login since this is the very first time that I use this account to login to my solution or actually to login to that application that we've created on the on the user side we are asked for consent right so do you agree that this accounts will be used for this application this will only happen the very first time that you use this account now I've put in my accounts on the other side at this point asure has said yep I know who you are your account is valid you're good to go what we're seeing now is browser behavior right this is Safari on Mac and you may have seen this with other applications like GoToMeeting some other stuff where if it has to redirect to something like an application it will say are you sure that you want to do this not all browsers do that Safari does that so you have no control over this is what I'm trying to say right so this is this is browser behavior so I'll say yep I'm okay with that and I'm in my solution right so obviously I can prove that by going to the data viewer and looking at those get functions that I mentioned in the beginning so I'll have to authenticate but there we are right so my get account name is the account name of that Azure account that I that I've added to do my family there's no group name right because I picked the individual user setting when I created the accounts on them on the FileMaker side all right so as mentioned Microsoft Azure is the only of the three new oil providers that gives us group authentication so we'll have a look at what that looks like what we have to do that right so in energy or ad we can clip on all groups will create a group have to give it a name the name doesn't really matter so we'll just call it as your a group description is not mandatory so I'll leave it be and we have no members at this point so I'll click I'll select one of the members that we have in our your ad now this may throw you off a little because that account that I selected was a gmail accounts right that doesn't really matter any email address can be set up to become a Microsoft Microsoft account that's that's the long and short of it alright so so don't get thrown by the fact that it's a gmail account so by extension it's a Google account any email address can be used to to hook up or to be linked to a Microsoft account alright so we have our group group is named as your as your group and we have one member in that group now there's one more thing we need to do by default Microsoft Azure groups are not set up to allow group authentication right so in my application that I have set up on the on the user side I have to click manifest and I'll have to add a change of setting there on line number seven where it says group memberships claim claims I'll have to enable it in essence to allow for a group authentication it doesn't do it by by default so all of that again documented in that white paper that you have available all rights so with that setup now when I use an account I belongs to that group and I authenticate against sure it will say yep that's good you belong to this group we're good to go alright so we have the group we have one member so we can we can test that out so on the filemaker side we'll also have to do something to to make that same thing happen right so I know the screens go by fairly quickly but when we set up the the accounts the women at connecting data accounts we picked the individual user setting right so we'll set a group accounts for their group that we've just created as the next step here alright so we'll click new and when we pick Azure ad the default is actually a group setting so we'll leave it that and this is what we put in a group name right so the name of our group was a juror group so that would be the logical thing to put in there but that's not actually what we need right so you'll see that it says group name but in parentheses it said object ID right so that is something that threw me in the beginning as I was trying to go over there so we'll have to go back to our azure ad and we'll have to copy the object ID of our group right so that's what you need to use as the group name inside filemaker it's not the actual name of the group it's the it's the ID all right and just to make sure that we have something readable I'll put it in the description so when I look at my list of accounts and in FileMaker I can sort of see what what it what it meant there right so all right so we have one member that belongs to that group right we don't have that individual account set up inside the FileMaker accounts right so we just have that group name so if we log in so that's the one user that's that Gmail accounts if I log into my solution using that accounts we should see that that it works right so we'll click the Microsoft button that will take us to the Microsoft login page and I have a fair number of accounts but we'll use the gmail account that we have for that one it will ask us for our passwords and once we get past that we should see that we end up in our file maker solution properly authenticated all right first time I use it so again it asks for consent and after that we are good to go alright so if we bring up the data viewer now and we look at those get functions we'll see it's pretty much the same as we had before it'll tell us the exact name of the account that we used which is the gmail account but this is the thing that we now have right so we now have the group name object ID as the as the new get function that will tell us what group we belong to right so that gmail account does not exist as an account and found that it's only the group accounts that exists there right all right one of the biggest differences and I'm jumping ahead a little bit but one of the biggest differences between the Microsoft Azure implementation of both for FileMaker and the one that we have with Google and Amazon is that if you enable Amazon and and/or Google any Amazon account any Google account will work right you don't we don't have the concept of having to add users to either something like is your ad or a group right so any Google account will work any Amazon account will work with what you're the user has to exist in your issue in your Azure ad right so you have to create the user there meaning that there's a process to it right so if you want to give a new user access to your solution you have to go through a process you have to go through a process by adding that user to your Azure ad the user depending on whether that email address that that you will use to add them to do you may have to go through a separate process to link that email accounts to two Microsoft account right so the this is the process of adding a user to the Azure ad you may have noticed there were two options right add a user add a guest user I'm using a guest user because I will be using another Gmail accounts that gmail account by by by virtue of it being a gmail account doesn't belong to my domain to my Asscher a domain right so you have to you have two sets of users I guess you can add you can add users that belong to your domain or you can add users that do not belong to your domain which is called invited guests all right so I'll just put in Gmail accounts now what will happen basically is that as soon as I add this user an email will go out to that user to say you've been invited to this domain right so and then the user will have to say yep I'm good with that and and all of that so this user has now been added to our Active Directory domain on the is your side in the background that user has received an email right so this is the email account for that particular user and there's the invitation all right so the reason for me to show this it's not so much that you will memorize it but to be aware that if you're using Azure ad and you're inviting users to have access to your solution there's a definite process for them to go to and that's something that you may want to document and do for yourself so that you know exactly what your users will have to go through so that you can document it and and set some expectations right so so in essence what what's happening here is that that gmail address Microsoft didn't recognize it as a valid Microsoft account so it'll go through all the steps to set it up as a Microsoft account it'll set down the code it'll do the email address verification so all of that good stuff is happening in the background right so and this would all be the user doing that right so that that's not you that's the user having to go through these steps to do that obviously you have to have existing microsoft account none of this happens and the process is a whole lot simpler all right so we are in the final stages of that users account being linked and recognized as an as a Microsoft accounts this page would typically update for them at some points that it would list at Def Con 2017 application that they've now agreed to to use but we don't need to wait for that or the user can basically now try and login straight to your family solution what we will do is now that we have set up this new user account in your will add it to our as your group right so and that's where the real power of this comes in right so on my FileMaker solution side I don't have to do anything right so this is all management that I do in my as your ad and yes the user will have to go through some steps but I don't have to touch my solution at all right so I do all of my admin on the ad side right so I just create a new user I add it to the group don't have to touch my solution because I already have that group set up as an account in my FileMaker solution so once I am done going through these steps the user can just login right I didn't have to touch my solution that's where the real power is of using a group based authentication for for these things right so so this is the user having clicked at Microsoft button on the login dialog they will log in on the Microsoft side and at the end of that they will just be in our solution right so I can't really stress that points long enough this the real power of doing this the real benefit of doing this is that you don't have to do anything on the on FileMaker side right so once your FileMaker server is configured once you've set up that group account on the FileMaker side all the management's is done completely away from FileMaker right so it can been convened by anybody if you have administrators that need to do this they can do it right so they don't need to know your FileMaker solution at all there was a question so the question is if you have office 365 users is a the azure ad already set up is that in place by and large yes it's an ever-changing landscape so I don't want to give a definitive answer but in essence as I understand it today yes if you have a but if you have an organization that uses office 365 you do have Asia ad and you you have the users already in place all right so this is the confirmation that user that we just added to our Azure ad is now able to log in to our solution without us touching that solution at all question yeah so the question is you mean the filemaker login dialog right so the fam'ly can login dialog has two parts the top part has the two entry fields which are used for regular family accounts and then you have the three buttons at the bottom so the question is can you hide the top section no and it can be a little confusing where the users will think yes I'll type in my Amazon credentials or my asher credentials and and then hit a button but yeah no it does work that way yep yep so the question is there's some on some of the traditional pharmacological logs there's this option to say can you say safe credentials to the keychain you have none of that right so there's no saving of that one more question then we'll move on we'll save the questions to do it to the end yep sure so the question is what is the nature of the application you you have to set up an applique I call an application because they call it an application it's the same on Google and same on Amazon so the question is what is the nature of the application it's it's nothing but a shell it's it's a placeholder where you can make configuration settings that you can say these are the accounts that belong to it things like that manifest that you say yes I will enable group or group authentication that kind of thing there's really nothing to the application on the provider side it's kind of meaningless it doesn't do anything it's just a place where you go to to to make configuration settings all right all right Amazon so that's it for the Azure side I hope I didn't confuse you too much but it's basically the same structure always right so you can figure if I make a server you go to the provider side you configure an application that doesn't really do anything it's but it's a place for configuration settings then you turn around and do some stuff in add accounts to your FileMaker solution right so Amazon so we'll go to the same place we basically go to that database server security tab we click the button for Amazon right so so what we see here is it's it's very similar to the page that we had for assurer except that there's one less piece of information that we need so we will have to put in the place we'll have to find a place where we put in the redirect be allowed to return URL right that's the address that Amazon will use to talk back to us and then we need the client ID and a client secret all right so we'll see what we can find those we need to go we need to go to developer Daniel come right again just like with Asher you need to have an Amazon developer accounts that's that's a given I will login to mine I have mine set up to use multi-factor authentication right so it'll ask me to to confirm that I am Who I am [Music] once we get past that the the developer Amazon console if you will has a service a service called log in with Amazon that's what we will need to be right so we've logged into the developer console absent services and right there is login with Amazon that's the one that we need and it'll tell us you don't have anything that that's fine we'll set it up so it's called a security profile right so we'll create a security profile the name is the equivalent of the application name if you will that we used on the Microsoft side we'll just use DEFCON 2017 description is mandatory doesn't really mean all that much as long as we put in something the third piece their consent privacy URL again that's not the address that we will use or that we will need to use to have Amazon talk back to FileMaker server right so that would be a place where you state your privacy and consent agreement all of that so not so important for the authentication purpose so we'll just move past that so this is cool we know that we need a client ID and we need a client secret so it's right there we can click on it we'll copy those over and those are the two main pieces of configuration that we would need from the FileMaker server side right so I will just plop them in there then the only additional piece that we will need is we'll have to find that place where we put in that address that Amazon will use to talk back to our file maker server all right so we'll copy that one over so that we have the format we can just replace what we need but we know that as soon as we click Save here we'll have to find a time to shut down our files and restart the FileMaker server now web settings in that profile that's where we can set the allowed return URLs right so that's the address that's what we put the address that Amazon will use to say yep this so we know this user you can let them into into your solution all right so again this is what we put in the fully qualified domain name the dns name the one that is covered by the SSL Certificates on our file maker server and that's that's it for the family curse server-side and the anti Amazon side that's all we need to do for that one so the next step is we'll have to do something in our family resolution itself right so we'll we'll have to create an account there that's that can be used as you can see we now have an Amazon button right the it picked up on the fact that my FileMaker server is configured to allow Amazon accounts as I mentioned the big difference here with without Microsoft Azure thing is that now that we have set up our FileMaker server to allow Amazon accounts right any Amazon account will do right so there's no concept of groups or or adding users to a specific domain or anything like that as long and you also see group our user there's only users right so there's no concept of groups with Amazon and with Google as we will cover in a sec right so for every user that we will need to give access through an Amazon account we have to add them as an individual user under the accounts right so there's no groups in this area so we'll pick Amazon we'll put in the email address of that user and after that they're good to go right and it could be it could be any Amazon account as long as we add it all right so we'll close our file we will reopen it click the Amazon button and see where it takes us because I didn't make a real login script yeah no it's it's a valid question I could have saved myself some time by just doing the real organ thing so it took me to the Amazon page for the login same as the azure page you put in your credentials same kind of concept right so they all do that the first time you log in it will ask for your consent to say yeah are you sure that you want to use your account to log into this application browser behavior all browsers are slightly different when I now go to my data viewer you will see that the account is there you will also see that the new get function forget account group name is empty right there's no concept of groups with Amazon there's no concept of groups with Google so those will always be empty if it's my mom tell her I call her right back all right so um that's it's for Amazon right so this process is a whole lot simpler than the Azure one obviously the Azure one was a little longer because we talked about the concepts but that's it right so you set up your FileMaker server by creating an app on Amazon in that in that console and after that you're good to go you add all the individual Amazon accounts that you want to have access that you want to give access to to your solution you add them all individually to your file right so Google same thing will go to a database server security tab will click on the button to enable Google and we'll see what we need right so and it's very similar to what we need for the Amazon side right so we'll have to find a place for the return address and there's a client ID and a client secret so it's it's almost identical to what happens on the on the Amazon side so just like Amazon Google has so like a developer website with where you can create an application so I'll log in to that one just like my Amazon account my Google account is set up for multi-factor authentication so that I have a little extra layer of protection and as I mentioned in the beginning that that is where all of the power is with using these kinds of external Identity Manager providers right so you get all the benefits of of using these external authentication multi-factor all of these things right so well put in the code that it's sent to my cell phone and after that we will be in the in the Google developer console right so it says console developers.google.com/live and in that white paper under credentials you can create what is called an OAuth client ID that's what we need right so we picked that web application is the one that we need the name is the same as the application name will use Def Con 2017 for that one and right here already it tells us this is where you can set the redirect URI right so that's that return URL that they will use to talk back to our file maker server right so we'll copy the format over put it in there we'll substitute our DNS name anyway we go all right so as soon as we save that it shows us declined ID and the client secret so those are the two pieces of information that we have to bring back to our file maker server and put in the admin console so that's nice and easy just like it was on the Amazon side and that's sort of what I meant with this is surprisingly easy right it's it can be a little daunting because of all the acronyms and Andy and the way that things are names but in essence there's not a whole lot to it once you know where to wait to go and configure these things there's not a lot of things to it right so we've saved the settings so we'll have to restart a filemaker server don't need to wait for that we'll turn around and see what we need to do in our file maker application which is basically just create an account and there's going to be a little bit of a twist here because like many of you I I have the same email address that I use for different accounts right so I have an email address that is and the Microsoft accounts I have the same email address that is a Amazon account I have the same email address that is a Google account right so I pick Google as my authentication mechanism and well that's not all put it later but this is basically just one of my google accounts set it up just like with Amazon right so there's no concept of groups I know that I'm repeating myself but there's no concept of groups that means that every Google user that you want to give access to to your solution you have to set them up individually right so of those three new ones only Microsoft Azure has that concept of a group so all the other ones you have to set up individual accounts all right isn't that interesting didn't expect that right so so what happened here if you were paying attention the normal thing that would happen is that I get the login dialog I click the button for the provider I go to that providers web page where I'm asked to put in my credentials right that didn't happen it went straight into the browser browser saying are you sure you want to redirect to found and I said yeah of course and then this happens right but I had just set up that that accounts right so what happened is and my browser wasn't even open right Safari is my default browser on that machine right so if I go to Gmail which is owned by Google and I login it see that it didn't ask me for any credentials either right so what happened here is I had cached credentials right I was logged into my browser with another Google accounts and even though my browser was closed it though those credentials were cached and found maker not found maker but by me clicking that Google button it makes a round-trip to Google Google said I already know who you are right so I'll get you straight into FileMaker but that particular accounts for the cached credentials didn't exist as a Google account and found maker so pharmaco said no I don't know who you are this this should not happen right so that is something to be aware of right because the round-trip goes out to the identity providers web page if you have if you have login to another service of them before and you have stored your credentials their cached in the browser they will be reused when you when you use this right so that's something to be aware of classic scenario is that you use your Google accounts you logged into Google you close your browser right that doesn't mean that your credentials are not there anymore if you walk away from your from your desktop somebody may go in just open that file click that Google button on the on the login dialog and they will use your credentials to get into the FileMaker file right so there's a whole realm of security considerations that we need to make with these services that that are important and that's some of these I cover in that white paper as well I have them listed as gotchas so some some things to consider right so at this point I've shown you in about the span of we have 8 minutes left and the span of about 30 minutes I've showed you how to configure found like a server for all three of these new providers and I hope that I conveyed the message that it's not that hard right once you know where to look and and the white paper will help you find that but once you know where to look it's it's not that daunting to set up so what about family could go and found like a webdirect right this is Formica web directs running on that the same server we have the same file hosted there if I click that file you see the same thing right so we have the same login options there all three of them are configured on fabric server if I click Amazon I'm asked by Amazon to login and there you go right so same as in FileMaker Pro web direct uses the same thing and you'll see that I'm logged in with that with that Amazon account right there right so so no problem web direct uses the same mechanism works right off the bat I want to pause here for a quick sec because what what happened here is that you see that what it says sign in to open DUI DUI is one of my other files I have hosted on that server right so I had three files hosted on that server the one that we've used for the demo and then two other ones if I open or try to open this file and we didn't touch that file in demo right I didn't add any any of those Google accounts I'm Microsoft accounts Amazon accounts I didn't do that in that file but when I try to open that file you get the same three options right obviously if I click those nothing will happen right because yes you may be taken to the google page to authenticate it and you will be authenticated by Google but when it's when the traffic or when the request comes to FileMaker pharmakeia will say I don't have an account in that file which with that with that set of credentials right so the authentication will fail there so keep in mind that when you configure a FileMaker server to use any of these three services the login dialog will change for all the files in that are hosted on that server right sure not just the files where you created those those accounts in so something to keep in mind right so I'll drag my iPad on the screen here this is FileMaker Go 16 so if I click on that file that we've just been using all along you'll see it's the same mechanism right it works just as well we get the same three options depending on what we have configured on the family server side and it will work just as well I clicked on Amazon will be taken to the Amazon page and the mobile safari will be asked to logged in and we're good to go so I'll skip past that one because you'll have to take my work that it works and I promise you it does work the REST API the data API that is new in family of 16 and it does supports the OAuth providers as well right meaning that you can use the REST API the new data API with any of those accounts from Amazon from Google from Europe Todd Geist has a very comprehensive write up on it on his web page and you'll have that in the handouts after the session so I won't go into too much detail but he's got it all figured out all written up but so it works there's one more member to the fan make er 16 or the filemaker platform right that's fun that's foul make a cloud and there's a clue here right so blue null blue found like a cloud as it is right now is still based on the FileMaker server 15 days right so it does not support any of the oauth providers yet there was a new version of filemaker cloud released last week or the week before I think last week and if you read the release notes it says that there will be a new version in October that will be based on fan maker service 16 so at that point in October we will have supports for the OAuth providers as well on FileMaker cloud right all right almost done two minutes a quick recap in blue we have all six of the external authentication providers in green we have some of the things to consider all right so we have a tea of directory Oh the open directory local accounts and groups on the family curse server machine and then the three new ones Azure Amazon Google write of those first line their active directory and open directory require settings on the operating system of the machine right the machine has to be long that's what I mean with requires machine membership right so the machine the operating system has to belong to the domain that that you want to use that is not true for any of the other ones as your Amazon and Google only well not true for as your Amazon and Google only work with individual accounts right I sure can work with individual accounts a DoD local and I sure have the concept of a group rights where you don't have to create individual accounts in your family a file you just have to create a group and then the group membership is something that you manage completely outside of FileMaker which is in my and my opinion is where the true power is of using external authentication now Azure Amazon and Google as I mentioned before require internet connectivity right so the provider is outside your network and it has to be able to communicate to your FileMaker server right so you found make a server has to be reachable from the internet which is something to consider SSO is one of the alphabet soup things we had that we had mentioned right so single sign-on of these six only Active Directory can provide native single sign-on right the other ones don't do it you can mimic it in a lot of ways but only true on-premise Active Directory can give you true SSO if you want to know more about that look me up after the session and we can talk about that LDAP is the last of the alphabet soup ingredients LDAP stands for lightweight directory access protocol right so I mentioned in the beginning Active Directory open directory they all call directory services this is a protocol LDAP as a protocol to talk to directory services just like HTTP is a protocol to talk to a web server there's a thing called open LDAP which is a directory service not to confuse you don't care right it's it does nothing for authentication on the FileMaker side I mentioned that as one of the early slides there is mention of LDAP a little bit in the family admin console don't even go there right it does nothing for authentication all right so we only have one minute left so what I suggest is that if you have any questions come up after I may have to take you outside of the room to make room for the next presenter but I'm happy to to answer any and all questions that you may have so so thanks for for being here [Applause]

Info

Channel: Claris

Views: 7,589

Rating: undefined out of 5

Keywords: FileMaker, Custom App Academy, Learn Custom Apps, Create mobile apps, iOS Platform, apps for your business, FileMaker DevCon, App for Business, Learn create apps, OAuth FileMaker, LDAP and FileMaker, Authentication with FileMaker, External Authentication, SSO Authentication, FileMaker Advanced, FileMaker Professional Developer

Id: 99BuLS3mCSY

Channel Id: undefined

Length: 60min 25sec (3625 seconds)

Published: Tue Sep 05 2017