FME Version
Introduction
FME Flow (formerly FME Server) newer supports Azure Active Directory user accounts as of FME 2021.2. To create an FME Flow Web Connection in FME Form that uses an Azure AD, the FME Flow Administrator must first create a Web Service to share among FME Form Users. FME Flow Web Connections can be used to publish workspaces and transformers in FME Flow. The Azure Active Directory Web Service Template is generic and must be changed in the following ways to allow an Azure AD connection to be used in an FME Flow Web Connection from FME Form.
Before following these steps, make sure to Configure FME Flow for Azure Active Directory.
Step-by-Step Instructions
Part 1: Create a Registered App
- From the Azure Active Directory portal, select Manage > App registrations > + New Registration, and complete the following fields:
- Name: Provide a name for the registration, such as FME Form
- Supported Account Types: Specify whether to allow FME Flow to interact with a single Azure AD tenant or multiple Azure AD tenants. We recommend setting up a single-tenant App Registration so that only users from your AAD tenant can sign in.
-
Redirect URI:
- Type: Public native/client (mobile & desktop)
- URI: https://localhost (FME Form needs to keep the redirect local)
- Click Register.
- An overview page of the application registration opens. Navigate to Overview > Essentials, and record the Application (client) ID and Directory (tenant) ID.
- Navigate to API permissions, and confirm there is a Microsoft Graph User.Read Delegated permission for the app.
- Grant admin consent for the Active Directory name.
Part 2: Create a Web Service
- In FME Workbench, go to FME Options → Web Connections → Manage Services (On Mac: Preferences → Web Connections → Manage Services)
- Click on the '+' button, then Create From → Microsoft Azure Active Directory (Template)
- Give the web service a name, and update the template details:
- Under Client Information, specify the Client ID
- Leave the Client Secret empty and check the optional box on the right.
- Set the Redirect Uri to https://localhost
- If you configured a single-tenant app in Azure, under Authorization Parameters replace [TENANT_ID] with your tenant ID and update the scope to that of the permissions you made in part 1. If you registered a multi-tenant app in Azure, the tenant will be replaced with the value ‘common’. See Microsoft’s documentation on endpoints for more information. Each scope permission should be separated by a space and should include the offline access tag.
Example:https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/User.Read
- Under Retrieve Token Parameters replace [TENANT_ID] with your tenant ID and remove the scope query string parameter
Example:https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/token
- Under Refresh Token Parameters, use the same URL as the Retrieve Token Parameters
- Select Apply and Test the Web Service using a non-admin user Azure AD credentials. When the test is successful, you can proceed to part three.
Part 3: Create a Web Connection
- In FME Workbench, go to FME Options → Web Connections (On Mac: Preferences → Web Connections)
- Click on the '+' button and create the connection:
- Set the Web Service to FME Flow and give the connection a name
- Specify your FME Flow URL in the form https://<HOSTNAME>:<PORT>
- Set the Authentication method to Azure AD
- Under Azure AD Connection, choose to Add Web Connection. (Create a new Azure Web Connection from the Web Services to use in the FME Flow Web Connection)
- Use the web service created in Part 2 and give the connection a name
- Authenticate → Select your Azure AD account (Make sure the account has been imported into FME Flow first)
- Authenticate the FME Flow Azure Web Connection
- Test the connection by publishing a workspace to FME Flow, or use it in one of the FME Flow Transformers
Part 4: Share the Web Service
For other FME Form users to be able to create an Azure AD Web Connection to FME Flow, the Administrator must share the Web Service by exporting it, and users can then import it to their application.
Export the Web Service
- In FME Workbench, go to FME Options → Web Connections → Manage Web Services (On Mac: Preferences → Web Connections → Manage Services)
- Select the service created in part 2, scroll to the bottom and click 'Export...' Choose a location to save the file. It is recommended to enable password protection, which will encrypt the file so it is more secure.
Import the Web Service
- In FME Workbench, go to FME Options → Web Connections → Manage Web Services
- Click on the '+' sign → Import From File
- Select the file provided by your administrator and specify the password
- You can now follow Part 3 to create a web connection.
Comments
0 comments
Please sign in to leave a comment.