How to Create an ArcGIS Enterprise Portal Web Connection (OAuth 2.0)

As of FME 2024.0, support for Esri ArcGIS Online (AGOL), ArcGIS Enterprise Portal, and ArcGIS Server Feature Service formats has transitioned to a unified approach using the new Esri ArcGIS Feature Service (Format). This format replaces the legacy reader/writer formats for each of the three services.

Starting in FME 2026.1, the legacy formats will be hidden in the Quick Add menu. Instead, equivalent functionality is now provided by the downloadable Esri ArcGIS Connector package, available on FME Hub. The package also includes new web services and key transformers such as the ArcGISOnlineConnector, ArcGISAttachmentConnector, and ArcGISBranchVersionManager. The package can be installed directly through the Quick Add menu in FME Workbench. Once installed, the new Esri Feature Service format will appear in the Gallery as a unified method for interacting with all three types of Esri ArcGIS Feature Services.

For details on this transition, including guidance on updating existing workspaces, please refer to the article: Working with Esri ArcGIS Feature Services in FME.

Introduction

ArcGIS Enterprise Portal supports various authentication methods (see here)

• Web tier Authentications -- Includes Basic, Digest, NTLM (Integrated Windows Authentication), and Kerberos (IWA and LDAP)
• SAML Authentication -- Enterprise Portal supports SAML 2.0 ( Single Sign-on SSO)

SAML Authentication users must create a Web Service (from the template) and then create a Web Connection based on the Web Service. This method also works with Portal authentication (but NOT with Web Authentication).

This method only applies to ArcGIS Enterprise with SAML Authentication or a Built-in identity store.
If you are trying to create an ArcGIS Online Web Connection, please use this article instead: How to Create an ArcGIS Online Web Connection (OAuth 2.0)

Step-by-Step Instructions

Part 1: FME Form

1. Create an Application on Enterprise Portal

Let's start creating an application for FME Web Connection. Open your portal in any web browser and sign in as an Administrator.

Go to your Content view and click on New item.



Choose ‘Application' and select Other application, then select Next.

Finally, fill in a Title and Tags if needed. Click Save to create the application.



This will open the application that was just created. If you need to access it in the future, you can also find it on your contents page.

In the application, go to Settings (top right corner).

On the Settings page, scroll down to Redirect URLs and enter http://localhost

If you have enabled FME Flow Connection Storage in FME Form, then enter http://<yourFMEFlowURL>/fmeoauth instead.

For the Application URL, enter your portal URL. This field is not used by FME, but may be required, depending on your version of Enterprise Portal. Click Save.

Keep this page open, as you will need to copy and paste the credentials into FME.

2. Create a Web Service in FME Form (from Template)

For instructions on how to use the Esri ArcGIS Connection Package for FME 2024.0+ please see the article Working with Esri ArcGIS Feature Services in FME and download the new package from FME Hub

In FME Workbench, open the drop-down Tools/Utilities menu and select FME Options. Navigate to Web Connections, then click Manage Services.

Click on the "+" drop-down menu in the bottom left corner (1) and then Create From (2) > Esri ArcGIS Enterprise OAuth (Template) (safe.esri-agol) (3). 

Add the web service information from the ArcGIS Enterprise Portal Application Settings page:

1. Web Service Name: Give the Web Service a name. It’s good practice to include the service, “Enterprise Portal”, in the name as well as the app name in ArcGIS Enterprise.
2. Client ID: <copy from ArcGIS Enterprise Portal Settings page>
3. Client Secret: <copy from ArcGIS Enterprise Portal Application Settings page>
4. Redirect Strategy: This setting is only available for FME 2025.2 and later. Choose Loopback Interface Redirect. To learn more about redirect strategies, please read external browser authentication. For versions of FME before 2025.2, the internal FME browser is used.
5. Redirect URI: The Redirect URI must match the one entered in the ArcGIS Online application (created in the first step). Enter http://localhost, or, if you are using FME Flow Connection Storage, enter http://<yourFMEFlowURL>/fmeoauth.
6. Authorization and Token URLs:  replace [PORTAL_HOST] with your Portal hostname. For example, under Authorization Parameters URL, the URL is currently:

https://[PORTAL_HOST]/sharing/rest/oauth2/authorize?response_type=code

If my Portal hostname is https://portal.safeville.com/portal, I would change it to:

https://portal.safeville.com/portal/sharing/rest/oauth2/authorize?response_type=code

The URLs to be replaced are:

• Authorization Parameters
• Retrieve Token Parameters
• Refresh Token Parameters

Click Apply to save your settings. Click Close.

3. Create a Web Connection

After closing the Manage Web Services page, you should be back at the Web Connection page. You can also reopen it from Tools/Utilities > FME Options > Web Connection.

Click on the + sign to add a new connection.

Select the Web Service created in Step 2 and give your web connection a name. Click OK.

You will be redirected to your browser to enter your ArcGIS Enterprise Portal Credentials and authorize the web connection. Enter your credentials and click Sign In. 

After successfully signing in, return to FME and confirm the authorization was successful. Click OK. 

Your ArcGIS Enterprise Portal Web Connection is ready to use!

If you received an error and you aren't sure how to resolve it, please see ArcGIS Online Web Connection Troubleshooting, as the troubleshooting is similar for ArcGIS Enterprise Portal.

4. Test the Connection

Add an Esri ArcGIS Feature Service Reader to the canvas and set the following fields:

• Format: Esri ArcGIS Feature Service
• Parameters:
  • Source Type: Enterprise
  • Site URL: https://<YourPortalURL>/portal
  • Authentication Type: Web Connection
  • Web Connection: <your portal connection>
  • Item Source: User or Group
  • Folder or Group: User Folder or Group selection available to you based on the Item Source
  • Feature Service: <any feature service available to you>
    • Click the ellipsis to select from your available feature service

If you are using the legacy Esri ArcGIS Portal Feature Service instead of Esri ArcGIS Feature Service, refer to the prior steps to create a new web service and connection, substituting the Esri ArcGIS Portal (Template) web service for the Esri ArcGIS Enterprise OAuth (Template) (safe.esri-agol) web service. Follow the configuration below to test.

Add an Esri ArcGIS Portal Feature Service Reader to the canvas and set the following fields:

• Format: Esri ArcGIS Portal Feature Service
• Dataset: https://<YourPortalURL>/portal
• Parameters:
  • Authentication Type: Web Service
  • ArcGIS Portal Connection: <your portal connection>
  • Feature Service: <any feature service available to you>
    • Click the ellipsis to select from your available feature service

Click OK twice to create the reader.

Click Run to test that the reader works! Keep the workspace open; we will use it in Part 2.

Part 2: FME Flow

We will go through a few extra steps to get this working in FME Flow.

If you created the connection in Part 1 and have FME Flow Connection Storage enabled in FME Form, then the connection will already be available on FME Flow, and you can skip this part. 
 
1. Add a Redirect URL to the Portal Application

From the Content page in your ArcGIS Enterprise Portal, find the application created in Part 1. On the Settings page, scroll down to the Application panel.

Scroll down to Redirect URLs and click Add. Add the Redirect URL for your FME Flow server in the format <my_fme_flow_url>/fmeoauth. For example:

Scroll to the bottom of the page and click Save to apply the changes.

2. Upload the Web Service to FME Flow

Back in FME Workbench, navigate to Tools/Utilities > FME Options… > Web Connections > Manage Services… and then select the Web Service you created in Part 1. 

Scroll to the bottom of the parameters and click Upload.



Enter the Client ID and Client Secret from the ArcGIS Enterprise Portal Application. Next, add your FME Flow URL in the Redirect URI field in the format http://<my_fme_flow_url>/fmeoauth

Click OK. This will upload the web service to FME Flow.



3. Publish the Workspace to FME Flow

Click File, and select Publish to FME Flow. Select your FME Flow web connection and click Next.

Create a new repository called Portal. Under Workspace Name, enter PortalTest.fmw and click Next.

In the next window, upload the connection to FME Flow by selecting it and clicking Next.

Click Publish.

4. Authorize the Web Connection

In FME Flow, go to Connections & Parameters, Web Connections, and then click your web connection name.

Click Authorize and enter your ArcGIS Enterprise Portal credentials when prompted. After successfully authorizing the connection, there should be a green check mark.

You may need to return to this page and reauthorize the connection periodically, especially if no jobs using it have been run within two weeks, which is the default refresh token expiry for Enterprise Portal. However, your organization may change this value, requiring more or less frequent authorization. As long as a job has run before the refresh token expires, then FME will be able to obtain a new one and reauthorization shouldn't be necessary.

5. Run the Workspace on FME Flow
Go to your FME Flow and select Run Workspace. Find the workspace that was just uploaded. Then, select Run to run the workspace. The workspace should run successfully.