Here is an example of how we have set it up, but you may need some other configurations.

Microsoft Entra ID (Azure AD)

Register application

To register an application in Microsoft Entra ID go to https://portal.azure.com and go to Entra ID, select App registration and add a new registration.

Select a name for your application – probably name it something with Perfion to know where the application is used.

Select supported account types – typical single tenant

Add redirect URI for SPA – if you use Perfion Web Client (can be added later)

Open

Now your application is created, and we need some additional settings to get it to work with Perfion.

Generate client secret

Go to Certificates & secrets to create a client secret. When you have created the secret remember to copy the secret/value

Open

Configure platforms

Go to Authentication to add platform for Windows Client. Add platform for windows client by pressing Add a platform and select Mobile and desktop application and select ‘https://login.microsoftonline.com/common/oauth2/nativeclient’

Configure permissions

Go to API Permissions to add the required permissions for Perfion. Press on Add a permission and select Microsoft Graph.

Under Delegated permissions add following:

• Email

• Group.Read.All

• GroupMember.Read.All

• Profile

• User.Read

And under Application permissions add following:

• Group.Create

• Group.Read.All

• User.Read.All

Grant admin consent

After adding all permissions, you need an admin to grant consent.

Windows AD

If you already have an AD FS server just skip the firsts steps and go to Add Application registration

Install AD FS

Go to your server where you want to install AD FS, requires minimum AD FS 4.0
Best practice is not to add AD FS to our domain control server.

Then go to Add Roles and Features Wizard press next and select Role-based or feature-based installation and press next

Now select the server you want to install AD FS on – probably you will only see the server you are on.

Then select Active Directory Federation Services

Then finish the installation

Configure AD FS

After installing AD FS you need to configure AD FS by pressing the flag with the warning icon you can select Configure the federation service on this server

Select user to connect to Domain Services.

Select SSL certificate for AD FS, service name and display name (is shown when users authenticate against AD)

Specify domain user account or group Managed Service Account.

Specify database for AD FS configuration.

Then finish the configuration

Add Application registration

Go to AD FS Management to add Application registration.

Change Primary Authentication Methods to Forms Authentication

Go to Application Groups and Add Application Group.

Name your AD FS Application – probably name it something with Perfion to know where the application is used.

Select Native application accessing a web API.

Client Identifier is automatic created but possible to select your own(used in Perfion Settings).

Add http://localhost:80 to Redirect URI – If using Web Client you need to add URI to Web Client in Redirect URI:

Under configuration off Web API add Client Identifier from previous step to Identifier

Then finish the creation off the application.

If the client returns “Sequence contains no matching element” then you may need to change Permitted scopes to allatclaims.

Add Issuance Transform Rule to send the needed claims to Perfion.

Use Send LDAP Attributes as Claims template.

Use Active Directory store and create following mappings:

Now you are ready to use AD FS in Perfion.