Skip to content

Authentication options

FMR provides five alternative authentication methods for both web UI users and machine-to-machine:

  • Internal superuser account: FMR's built-in authentication service provides a single 'root' superuser account that is created during installation.
  • OpenID Connect (OIDC): use where identity is managed by an OAuth 2.0 identity provider (IdP).
  • Directory services: user where identity is managed by Microsoft Active Directory (AD) or a generic LDAP directory service.
  • Custom security services: custom authentication services such as CAS or SPNEGO supported by Tomcat authentication valves.
  • X509 client certificates: allows interactive users or machines to authenticate by presenting a client certificate.

Internal superuser account

FMR includes an internal authentication service that provides a single 'root' superuser account configured during installation.

This account is typically used for initial setup and recovery. It can be disabled if administrator access is managed through another authentication service.

OpenID Connect (OIDC)

FMR supports OpenID Connect (OIDC) identity providers (IdPs), including:

  • Microsoft Entra ID (formerly Azure Active Directory)
  • Keycloak
  • Auth0

Other OIDC providers can also be used, provided they can emit groups claims. These claims are important because FMR uses them for role-based authorisation (RBAC).

OIDC supports two main use cases:

For REST API authentication examples, see REST API authentication.

Directory services

FMR can be configured to use a directory service for authentication, either:

  • Microsoft Active Directory; or
  • LDAP services such as OpenLDAP

This option is appropriate when user identities are already managed in an enterprise directory and you want FMR to authenticate against that directory.

Custom security

FMR may be configured for other authentication services such as CAS or SPNEGO using Apache Tomcat authentication valves.

An authentication valve is a component inserted into the Tomcat request processing pipeline to handle security credentials before a request reaches the FMR web application. While standard authentication (like BASIC or FORM) is typically managed in Tomcat via a Realm in web.xml, valves provide a lower-level, container-specific way to intercept and process authentication.

X509 client certificates

X509 certificate authentication allows interactive users and machines to authenticate automatically without entering credentials or supplying access tokens.

FMR's certificate manager lets administrators associate each certificate with specific roles and access rights.