M-Files and federated authentication

Traditionally, the need to verify user identity has been met by using software-specific credentials or Windows credentials. Organizations that require centralized identity management to control user access to systems such as M-Files often use federated authentication instead. This means that an external identity provider, such as Microsoft Entra ID, Okta, or Google, saves and manages user credentials completely outside of M-Files.

Federated authentication offers several benefits:
  • Seamless user experience with single sign-on (SSO)
  • Improved security with multi-factor authentication (MFA)
  • Easier user onboarding and offboarding
Authentication flow in a federated authentication system.
The figure gives an overview of the federated authentication process:
  1. An M-Files user tries to log in to a vault, and the client sends an authentication request to M-Files Server.
  2. M-Files Server creates an authorization request, which it sends to the identity provider.
  3. The user is then redirected to the identity provider's login page where the user provides her credentials.
  4. After the identity provider has validated the credentials, it returns a response to M-Files Server in the form of an identity token, which contains an assertion affirming that the user has been authenticated.
  5. M-Files Server verifies the identity token and grants the user access to the vault.

You can use the configurations editor in M-Files Admin to enable federated authentication in your vault. For more information, see Using the configurations editor.

For more information about using federated authentication with M-Files, see Using Federated Authentication with M-Files.

User provisioning with Microsoft Entra ID

The most common external identity provider is Microsoft Entra ID. User accounts authenticated through Microsoft Entra ID are usually provisioned to the subscription in M-Files or imported to the vault in M-Files Admin. However, you can also create and manage these accounts manually in M-Files if Microsoft Entra ID synchronization is enabled for the vault. In all cases, user information is synchronized between M-Files Admin and M-Files. For more information on user provisioning, refer to Managing user groups with user provisioning.