Configuring Azure Active Directory with FME Flow
In order for FME Flow to communicate with Azure AD, you must create and register FME Flow as an enterprise application in Azure AD.
Note
- In most cases, Azure AD requires the redirect URI for FME Flow to begin with https. To configure FME Flow to use HTTPS, see Configuring for HTTPS.
- For more information about application management in Azure AD, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management.
- From the Azure Active Directory portal, select Manage > App registrations > + New Registration, and complete the following fields:
- Name: Provide a name for the registration, such as FMEFlow.
- Supported Account Types: Specify whether to allow FME Flow to interact with a single Azure AD tenant or multiple Azure AD tenants.
- Redirect URI:
- type: Web
- URI: <FMEFlowWebURL>/fmesso/azuread/redirect, where <FMEFlowWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain. For example: https://fmeflow.domain.com/fmesso/azuread/redirect
Note In most cases, Azure AD requires URI to begin with https. To configure FME Flow to use HTTPS, see Configuring for HTTPS. - Click Register.
- An overview page of the application registration opens. Navigate to Overview > Essentials, and record the Application (client) ID and Directory (tenant) ID.
- Navigate to Certificates & secrets, and select + New client secret.
- Record the client secret.
- (Optional) Navigate to Authentication > Web > Add URI, and add any other necessary URI redirects, according to the format specified above for Redirect URI.
- Navigate to API permissions, and select + Add a permission. Add the following permissions:
- Microsoft Graph > Application permissions > Group.Read.All, User.Read.All
- Microsoft Graph > Delegated permissions > User.Read
- Grant admin consent for Name.
- If FME Flow uses Microsoft Internet Information Services (IIS) as a reverse proxy, perform the additional configurations:
- Append the URL of your reverse proxy to the fmeserver.sso.custom.baseurl= line in the SSO application.properties file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesso\WEB-INF\classes\.
- Restart FME Flow.
- Ensure the Redirect URI setting on your Azure Active Directory portal is set to the URL of your reverse proxy (rather than your FME Flow hostname), appended with /fmesso/azuread/redirect.
Tip In your IIS reverse proxy settings, clear Reverse rewrite host in response headers. In IIS Manager, this setting is located in the Application Request Routing Cache tool, under Actions > Server Proxy Settings.
Warning The client secret cannot be viewed after this step.
Note Admin consent is required to proceed, and can be granted only by an Azure AD admin.
What's Next?
Proceed to Creating an Authentication Service Connection.