Configure a WS-Federation provider for portals
You can add a WS-Federation–compliant security token service provider—for example, Azure Active Directory (Azure AD) or a single Active Directory Federation Services (AD FS) server—as an identity provider.
Note
Changes to the authentication settings might take a few minutes to be reflected on the portal. Restart the portal by using portal actions if you want the changes to be reflected immediately.
To configure a WS-Federation provider
Select Add provider for your portal.
For Login provider, select Other.
For Protocol, select WS-Federation.
Enter a provider name.

Select Next.
Create the application and configure the settings with your identity provider.

Enter the following site settings for portal configuration.

Note
Ensure that you review—and if required, change—the default values.
Name Description Metadata address The WS-Federation identity provider metadata file location.
Example (Azure AD):https://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/federationmetadata/2007-06/federationmetadata.xmlAuthentication type The Entity Id value that specifies a globally unique name for the WS-Federation identity provider.
Example (Azure AD):https://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/Service provider realm The portal URL that specifies the service provider realm for the WS-Federation identity provider.
Example:https://contoso-portal.powerappsportals.com/Assertion consumer service URL The portal URL that corresponds to the service provider's endpoint (URL).
Example:https://contoso-portal.powerappsportals.com/signin-wsfederation_1
Note: If you're using the default portal URL, you can copy and paste the Reply URL as shown in the Create and configure WS-Federation provider settings step. If you're using a custom domain name, enter the URL manually. Be sure that the value you enter here is exactly the same as the Redirect URI value for the application in the identity provider configuration (such as Azure portal).Select Next.
(Optional) Configure additional settings.

Name Description Sign-out reply The URL to return to (sign-out reply) after sign-out is complete. Valid audiences Comma-separated list of audience URLs. Validate audiences If this setting is enabled, the audience will be validated during token validation. WHR The home realm of the identity provider to use for authentication. Sets the WS-Federation sign-in request whr parameter. If this setting is empty, the whr parameter isn't included in the request.
More information: wsFederationContact mapping with email Specify whether contacts are mapped to a corresponding email. When this setting is On, a unique contact record is associated with a matching email address, assigning the external identity provider to the contact after a successful user sign-in. Select Confirm.
To edit a WS-Federation provider
See Edit a provider.
See also
Configure a WS-Federation provider for portals with Azure AD
Configure a WS-Federation provider for portals with AD FS