Failure to Connect to Azure AD Through IIS Proxy

Symptom

When logging in to FME Flow with credentials from an Azure AD server that you have configured to route through a Microsoft Internet Information Services (IIS) reverse proxy, authentication fails.

Cause

The login HTTP request to the Azure AD server sends a redirect URI of the FME Flow Core hostname rather than the URI of the reverse proxy.

Resolution

  1. Append the URL of your reverse proxy to the fmeserver.sso.custom.baseurl= line in the SSO application.properties file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesso\WEB-INF\classes\.
  2. Restart FME Flow.
  3. Ensure the Redirect URI setting on your Azure Active Directory portal is set to the URL of your reverse proxy (rather than your FME Flow hostname), appended with /fmesso/azuread/redirect.
Tip  In your IIS reverse proxy settings, clear Reverse rewrite host in response headers. In IIS Manager, this setting is located in the Application Request Routing Cache tool, under Actions > Server Proxy Settings.