Create an FME Flow Azure Entra ID (Active Directory) Web Connection in FME Form

Richard Mosley
Richard Mosley
  • Updated

FME Version

Introduction

FME Flow (formerly FME Server) newer supports Azure Entra ID (formerly Active Directory) user accounts as of FME 2021.2. To create an FME Flow web connection in FME Form that uses Azure Entra ID, the FME Flow Administrator must first create a web service to share among FME Form users. FME Flow web connections can be used to publish workspaces and transformers in FME Flow. The Microsoft Azure Active Directory web service template is generic and must be updated to allow an Azure Entra ID connection to be used in an FME Flow Web Connection from FME Form.

Before following these steps, make sure to Configure FME Flow for Azure Active Directory.


Step-by-Step Instructions

Part 1: Create a Registered App

  1. From the Azure Entra ID portal, select Manage > App registrations > + New Registration, and complete the following fields:
    • Name: Provide a name for the registration, such as FME Form
    • Supported Account Types: Specify whether to allow FME Flow to interact with a single Entra ID tenant or multiple Entra ID tenants. We recommend setting up a single-tenant App Registration so only users from your tenant can sign in.
    • Redirect URI:
      1. Type: Public native/client (mobile & desktop)azure_web_desktop_app.png 
      2. URI: https://localhost (FME Form needs to keep the redirect local)
  2. Click Register.
  3. An overview page of the application registration opens. Navigate to Overview > Essentials, and record the Application (client) ID and Directory (tenant) ID.
  4. Navigate to API permissions, and confirm there is a Microsoft Graph User.Read Delegated permission for the app. 
    • Grant admin consent to user.read for the Entra ID tenant name.

 

Part 2: Create a Web Service

  1. In FME Workbench, go to FME Options → Web Connections → Manage Services (On Mac: Preferences → Web Connections → Manage Services)
  2. Click on the '+' button, then Create From → Microsoft Azure Active Directory (Template)
  3. Give the web service a name and configure it: 
    • Client ID: the client ID from your app registration 
    • Client Secret: leave empty and check the optional box on the right.
    • Redirect Uri: https://localhost 
    • Authorization Parameters URL:
      • If you configured a single-tenant app in Azure, replace [TENANT_ID] with your tenant ID and update the scope to that of the permissions you made in part 1. If you registered a multi-tenant app in Azure, use the ‘common’ instead of the tenant ID. 
      • Replace [OAUTH_SCOPE] with https://graph.microsoft.com/User.Read
      • Optional: additional scopes can be added if required by your organization, but are generally not needed. Separate each with a space. See Microsoft's documentation on scopes and permissions.

        Example: 
        https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/User.Read
        
    • Retrieve Token Parameters URL: replace [TENANT_ID] with your tenant ID and remove the scope query string parameter
      Example: 
      https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/token
    • Refresh Token Parameters URL: use the same URL as the Retrieve Token Parameters URL
  4. Click Apply. Test the web service using a non-admin user's Azure Entra ID credentials. When the test is successful, you can proceed to part three.

 

Part 3: Create a Web Connection

  1. In FME Workbench, go to FME Options → Web Connections (On Mac: Preferences → Web Connections)
  2. Click on the '+' button and create the connection:
    1. Set the Web Service to FME Flow and give the connection a name
    2. Specify your FME Flow URL in the form https://<HOSTNAME>:<PORT>
    3. Set the Authentication method to Azure Active Directory
    4. Under the Azure Active Directory Connection, choose to Add Web Connection.  (Create a new Azure Web Connection from the Web Services to use in the FME Flow Web Connection)
    5. Use the web service created in Part 2 and give the connection a name
    6. Authenticate → Select your Azure Entra ID/Active Directory account (Make sure the account has been imported into FME Flow first)
    7. Authenticate the FME Flow Azure Active Directory Web Connection
  3. Test the connection by publishing a workspace to FME Flow, or use it in one of the FME Flow Transformers

 

Part 4: Share the Web Service

For other FME Form users to be able to create an Azure Active Directory Web Connection to FME Flow, the Administrator must share the Web Service by exporting it, and users can then import it to their application.

 

Export the Web Service

  1. In FME Workbench, go to FME Options → Web Connections → Manage Web Services (On Mac: Preferences → Web Connections → Manage Services)
  2. Select the service created in part 2, scroll to the bottom and click 'Export...' Choose a location to save the file. It is recommended to enable password protection, which will encrypt the file so it is more secure. 

Import the Web Service

  1. In FME Workbench, go to FME Options → Web Connections → Manage Web Services
  2. Click on the '+' sign → Import From File
  3. Select the file provided by your administrator and specify the password
  4. You can now follow Part 3 to create a web connection.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.