Single Sign On is the user authentication method where a user only enters their credentials once in a given session. This is usually when the users either joins the network or when the first application that requires authentication is reached. Single Sign On is not a native feature to Filemaker WebDirect and to allow its support additional code has to be added.
SSO has been achieved with the addition of two PHP support files combined with Filemaker scripting.
Here is how we did it and how it works ...
- Users hit a locked down WebDirect landing page.
- The landing page loads a webviewer pointed at helper file #1 - fm_sso.php passing a UUID as a URL parameter. This file must reside in a folder that requires credential challenging.
- The sso.php then retrieves the Active directory user credentials (user name only) and saves those to a PHP temp file named with the passed parameter. Filemaker WebDirect can not read the contents of a web viewer directly so the data is passed via this PHP file temp storage system.
- A Filemaker script next queries a second helper file - fm_ssoRead.php via InsertFromURL helper and retrieved the previously created temp file based on the previous UUID where the credentials are returned. This file must be in a folder that does not require authentication to access since it will be accessed from Filemaker Server. Once retrieved the temp file is deleted.
- The credentials (username and group) are assessed against any local FM tables as needed and an appropriate local filemaker account is assigned to the user. From here the user can proceed as normal.
Implementing Into a Solution:
- Native FM accounts have to be created for all user access levels.
- The two PHP helper files must be installed in the correct folders.
- The application must be scanned for all instances that refer to the User Account Name and replaced with the variable pointer to the Username that the 2nd PHP help file returned.
Future Thoughts ...
The PHP helper files could store passed credential info in a single file (flat database) versus separate files and no cleanup scripts and routines would be needed. Alternately auto clean up of files older than 10 mins could be implemented.
It is up to you to assure your accessible landing page is fully locked down.
Currently periodic cleanup is needed for the temp folder that holds the passed UUID named file.