Introduction

What is OttoFMS?

Getting Started

OttoFMS

OttoFMS Console

Dashboard Deployments Builds File Browser API Keys Webhooks MCP Servers

FileMaker Server

Google Groups OAuth Offsite Backup Providers Configuration

OttoFMS Version History Troubleshooting OttoFMS Known Issues Handling very large files on Windows servers Licensed Application End User License Agreement Technical Information Telemetry Support

OttoFMS Console Settings

Google Groups OAuth

OttoFMS can be configured to work with FileMaker OIDC to extend the Google OAuth flow by adding Google Groups to the user information. This allows you to allow access to a FileMaker file to specific groups of users rather than individual users when using the Google Authentication flow.

Every Google Group gets an email address in the form groupname@yourdomain.com. Once OttoFMS is properly configured you can use that group email as the "Group" in FileMaker's security setup.

FileMaker Security Setup

How is this different than FileMaker's built in Google OAuth?

FileMaker has built in Google OAuth support, but the built in support works with individual users and not with groups. OttoFMS extends the Google provider to pass along group information, reducing the amount of ongoing user management you need to do.

Setup

Setting up Google Groups OAuth will require configuration in the Google Cloud Console, the OttoFMS web console, the FileMaker Admin Console, and in the FileMaker files you wish to use this feature in.

Google Cloud Console

OttoFMS needs access to your Google system through a Service Account OAuth client in order to fetch the groups for a given user. This client can be restricted to only allow getting group and group membership information. This is read-only access to groups and group members. Nothing else in your google account can be accessed or updated.

OttoFMS will also require the email address for an admin user on the Google Account to get the information. If you are an Admin in your google account, your email address will work. If you aren't then you will need to ask your Google Account administrator to give you an email address that is an Admin.

Service Account Setup

Follow the FileMaker Server OAuth instructions

Start by following the FileMaker Server OAuth instructions for Google.

Go to the Google Developer Console

Google Console Home

Choose the project that you used to set up your FileMaker Server Oauth Client

Google Console Select Project

'fms-oidc' is the name of the project in this walk-through. Your name will be whatever you set it to be.

Navigate to Service Accounts

Google Server Accounts Page

Click Create Service Account

Fill in the form, then click 'CREATE AND CONTINUE'

Create Service Account Form in Google Cloud Console

Click Done!

Click on the Service Account you just created in the list of Service Accounts

Click on Advanced Settings

Click "Create Google Workspace Marketplace Compatible Client"

Create Google Workspace Marketplace Compatible Client Button in Google Cloud Console

Copy the Client ID

Click "View Google Workspace Admin Console"

View Google Workspace Admin Console Button in Google Cloud Console

Navigate to Domain Wide Delegation

Domain Wide Delegation Page

Add New

Paste the Client ID you copied earlier into the "Client ID" field.

Add the following into "Oauth scope comma delimited":

https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group

Click Authorize

Navigate back to the Service Accounts Page

Service Accounts Page

Make sure the correct project is selected in the top left.

Click on your new Service Account.

Choose "Keys" then "ADD KEY" -> "Create new key"

Choose "JSON" and then "CREATE"

Save JSON Key Button in Google Cloud Console

This JSON file will be downloaded to your computer and will be required in the OttoFMS setup next.

OttoFMS Setup

To upload the Google OAuth settings to OttoFMS, you'll need to go to the OttoFMS config settings and upload the JSON file you downloaded earlier.

Navigate to OttoFMS Config Settings

Upload Google OAuth JSON File and Admin Email

This will save the google OAuth settings (with the Private Key encrypted) to the OttoFMS database.

FileMaker Admin Console Setup

To use the Google Groups OAuth in FileMaker, we need to set up a custom IdP in the FileMaker Admin Console.

Navigate to the External Authentication Settings

FileMaker Admin Console > Administration > External Authentication Settings

Fill in the Custom IdP Configuration

FileMaker Admin Console Custom IdP Configuration

Enable Database Sign in and External Server Accounts for your Custom IdP

FileMaker Admin Console Enable Database Sign in and External Server Accounts

Verify the provider

FileMaker Admin Console Verify Provider

FileMaker File Setup

Finally, to get users into your files, you'll need to set up accounts for the groups you want to provide access to in the FileMaker files.

FileMaker File Setup

Settings

Previous Page

Offsite Backup Providers Configuration

Next Page

On this page

How is this different than FileMaker's built in Google OAuth?Setup Google Cloud Console Service Account Setup Follow the FileMaker Server OAuth instructions Go to the Google Developer Console Choose the project that you used to set up your FileMaker Server Oauth Client Navigate to Service Accounts Click Create Service Account Fill in the form, then click 'CREATE AND CONTINUE'Click Done!Click on the Service Account you just created in the list of Service Accounts Click on Advanced Settings Click "Create Google Workspace Marketplace Compatible Client"Copy the Client ID Click "View Google Workspace Admin Console"Navigate to Domain Wide Delegation Add New Click Authorize Navigate back to the Service Accounts Page Choose "Keys" then "ADD KEY" -> "Create new key"Choose "JSON" and then "CREATE"OttoFMS Setup FileMaker Admin Console Setup Navigate to the External Authentication Settings Fill in the Custom IdP Configuration Enable Database Sign in and External Server Accounts for your Custom IdP Verify the provider FileMaker File Setup