Active Directory
- Morten Lindequist Køhler
- Jan Wisén Francke-Larsen
Perfion does not provide support on provisioning or configuring Active Directory
In this guide you will find information about:
How to set up Active Directory (AD) integration in Perfion
How to set up simple Active Directory (AD) integration in Perfion
How synchronization works with AD and how users is enabled in Perfion
How to login with AD
AD FS setup
Microsoft Entra ID (Azure AD) setup
Prerequisite
Windows AD
Minimum AD FS 4.0
Read more in our documentation about Active Directory settings.
Microsoft Entra ID (Azure AD)
App with access to create groups and read all groups and users(When using simple integration there is no need for access to create groups).
Read more in our documentation about Active Directory settings.
Setting up Active Directory
The administrator chooses which type of Active Directory, they want Perfion to authorize against. It is possible to choose either Windows AD or Azure AD (Microsoft 365 users).
When the administrator has chosen which AD to use, they setup the AD and afterwards enables AD in Perfion.
To activate AD in Perfion you go to settings and select Login options tab.
Per default, Active Directory is disabled.
Windows AD
Select Windows AD bullet.
Field | Description |
Domain |
|
Federation URL | Url to federation service |
Client ID | Client ID defined in AD FS |
Admin User | User with access to create new groups in AD |
Admin Password | Password for user |
Group prefix | Prefix for the groups that Perfion creates in the AD |
Simple integration | Check for simple integration where Perfion only creates one group in the AD. |
Microsoft Entra ID (Azure AD)
Select Azure AD bullet.
Field | Description |
Client ID | Get it from your app registration in Azure Portal. Possible to find in Overview as Application (client) ID |
Client Secret | You need to create a new client secret in your app |
Tenant ID | Get it from your app registration in Azure Portal. Possible to find in Overview as Directory (tenant) ID |
Group prefix | Prefix for the groups that Perfion creates in the AD |
Simple integration | Check for simple integration where Perfion only creates one group in the AD. |
Advanced AD integration
Groups and languages
Languages
Perfion will automatically create your Current Active Languages in AD.
For instance, DA will be created as two group in your AD called perfion_language_dan_reader and perfion_language_dan_editor where perfion is a prefix to know it is a group from Perfion, language is to show it is a Perfion Language and dan is the language code and reader/editor is to know if the user has reader or editor access to the language.
The perfion_language_nonLocalizable group is used if a user should have access to edit non-localizable,
NOTE: Before a user can login to Perfion the user needs to be member of minimum one language group.
Groups
Perfion will automatically create your Perfion Groups in AD.
For instance, the Marketing group would be created in your AD called perfion_group_marketing where perfion is a prefix to know it is a group from Perfion, group is to show it is a Perfion Group and marketing is the group id.
Roles
If a user is synchronized from AD, it is NOT possible to assign roles to the user directly, this needs to be done by adding the user to groups with the needed roles in AD.
User membership
When a user is logged in to Perfion for the first time Perfion will create a “virtual” user that is synchronizing with the AD each time the user is logging in.
If a user is member of group A and B first time the user is logged in and an administrator removes the membership to group A, then the next time the user is logging in it will only be member of group B in Perfion.
If a user is deleted from the AD or doesn’t have any language groups the user will be disabled next time a user access Users and Groups. It is also possible to set up a scheduled job for synchronizing inactive users in Perfion.
Migrate existing Perfion user to become AD user
It is possible to migrate Perfion users to become AD users. The only thing a Perfion user need before migrating is an email. It is possible to migrate a single user from Users & Groups or migrate all users with an email from where you set up AD integration in settings.
Simple AD integration
When enabling simple integration, Perfion will only create one group in the AD called the selected prefix + ad (Default: perfion_ad)
All groups, languages and membership is then controlled in Perfion, like a normal user without AD.
The benefit of using this integration is that the domain administrator, does not have to know anything about Perfion and only needs to add the users to one group.
Login
Windows Client
The user may meet the login first time accessing Perfion. After first time the user will automatic be logged in to Perfion
If the user is not created in AD a warning message about it will be shown.
If AD is not enabled by an administrator, they won’t see the “Login with AD” button.
Web Client
The user may meet the login first time accessing Perfion. After first time the user will automatic be logged in to Perfion