M-Files and federated authentication

Traditionally, the need to verify user identity has been met by using software-specific credentials or Windows credentials. Federated authentication offers organizations the possibility to use an authentication system that is completely external to M-Files. Federated authentication allows M-Files users to be authenticated using third-party services called identity providers, such as Google or Microsoft Entra ID. In many cases, having a centralized repository for all the M-Files user credentials completely outside the M-Files system can be very useful. Federated identity management also enables single sign-on, and provides the opportunity for the users to utilize their existing credentials.

Authentication flow in a federated authentication system.

The figure gives an overview of the federated authentication process:

1. An M-Files user tries to log in to a vault, and the client sends an authentication request to M-Files Server.
2. M-Files Server creates an authorization request, which it sends to the identity provider.
3. The user is then redirected to the identity provider's login page where the user provides her credentials.
4. After the identity provider has validated the credentials, it returns a response to M-Files Server in the form of an identity token, which contains an assertion affirming that the user has been authenticated.
5. M-Files Server verifies the identity token and grants the user access to the vault.