Create an FME Server Azure Active Directory Web Connection in FME Desktop

Richard Mosley
Richard Mosley
  • Updated

FME Version

  • FME 2021.2

Introduction

FME Server 2021.2 and newer supports Azure Active Directory user accounts. To create an FME Server Web Connection in FME Desktop that uses an Azure AD the FME Server Administration must first create a Web Service to share among FME Desktop Users. FME Server Web Connections can be used to publish workspaces and in FME Server transformers. The Azure Active Directory Web Service Template is generic and must be changed in the following ways to allow an Azure AD connection to be used in an FME Server Web Connection from FME Desktop.

Before following these steps, make sure to Configure FME Server for Azure Active Directory.


Step-by-Step Instructions

Part 1: Create a Registered App

  1. From the Azure Active Directory portal, select Manage > App registrations > + New Registration, and complete the following fields:
    1. Name: Provide a name for the registration, such as FMEDesktop
    2. Supported Account Types: Specify whether to allow FME Server to interact with a single Azure AD tenant or multiple Azure AD tenants. We recommend setting up a single-tenant App Registration so that only users from your AAD tenant can sign in.
    3. Redirect URI:
      1. type: Public native/client (mobile & desktop)
      2. URI: https://localhost (FME Desktop needs to keep the redirect local)
  2. Click Register.
  3. An overview page of the application registration opens. Navigate to Overview > Essentials, and record the Application (client) ID and Directory (tenant) ID.
  4. Navigate to API permissions, and confirm there is a Microsoft Graph User.Read Delegated permission for the app. 
    1. Grant admin consent for the Active Directory name.

 

Part 2: Create a Web Service

  1. In FME Desktop go to FME Options → Web Connections → Manage Services
  2. Click on the + sign → Create From → Microsoft Azure Active Directory Template
  3. Give the web service a name, and update the template details: 
    1. Under Client Information specify the Client ID
    2. Leave the Client Secret empty and check the optional box on the right.
    3. Set the Redirect Uri to https://localhost 
    4. If you configured a single-tenant app in Azure, under Authorization Parameters replace [TENANT_ID] with your tenant ID and update the scope to that of the permissions you made in part 1. If you registered a multi-tenant app in Azure, the tenant will be replaced with the value ‘common’. See Microsoft’s documentation on endpoints for more information. Each scope permission should be separated by a space and should include the offline access tag.

      Example: 
      https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/authorize?response_type=code&scope=offline_access https://graph.microsoft.com/User.Read
      
    5. Under Retrieve Token Parameters replace [TENANT_ID] with your tenant ID remove the scope query string parameter
      Example: 
      https://login.microsoftonline.com/<Tenant_id>/oauth2/v2.0/token
    6. Under Refresh Token Parameters use the same URL as the Retrieve Token Parameters
  4. Select Apply and Test the Web Service using a non-admin user Azure AD credentials. When the test is successful you can proceed to part three.

 

Part 3: Create a Web Connection

  1. In FME Desktop go to FME Options → Web Connections
  2. Click on the + button and create the connection:
    1. Set the Web Service to FME Server and give the connection a name
    2. Specify your FME Server URL in the form https://<HOSTNAME>:<PORT> 
    3. Set the Authentication method to Azure AD
    4. Under Azure AD Connection choose to Add Web Connection.  (Create a new Azure Web Connection from the Web Services to use in the FME Server Web Connection)
    5. Use the web service created in Part 2 and give the connection a name
    6. Authenticate→ Select your Azure AD account (Make sure the account has been imported into FME Server first)
    7. Authenticate the FME Server Azure Web Connection
  3. Test the connection by publishing a workspace to FME Server, or use it in one of the FME Server Transformers

 

Part 4: Share the Web Service

For other FME Desktop users to be able to create an Azure AD Web Connection to FME Server the Administrator must share the Web Service by exporting it, and users can then import it to their application.


Export the Web Service

  1. On FME Desktop go to FME Options → Web Connections → Manage Web Services
  2. Select the service created in part 2, scroll to the bottom and click Export... Choose a location to save the file, it is recommended to enable password protection, which will encrypt the file so it is more secure. 

Import the Web Service

  1. On Desktop go to FME Options → Web Connections → Manage Web Services
  2. Click on the + sign → Import From File
  3. Select the file provided by your administrator and specify the password
  4. You can now follow Part 3 to create a web connection.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.