Merge pull request #105587 from v-hagamp/signalfx

v-albemi · web-flow · commit 14b8055f1c1c · 2020-03-09T16:26:31.000-07:00
Product Backlog Item 930641: SignalFx Update
diff --git a/articles/active-directory/saas-apps/signalfx-tutorial.md b/articles/active-directory/saas-apps/signalfx-tutorial.md
@@ -12,87 +12,86 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: tutorial
-ms.date: 12/10/2019
+ms.date: 02/24/2020
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
 ---
 
 # Tutorial: Azure Active Directory single sign-on (SSO) integration with SignalFx
 
-In this tutorial, you'll learn how to integrate SignalFx with Azure Active Directory (Azure AD). When you integrate SignalFx with Azure AD, you can:
+In this tutorial, you will learn how to integrate SignalFx with Azure Active Directory (Azure AD). When you integrate SignalFx with Azure AD, you can:
 
-* Control in Azure AD who has access to SignalFx.
-* Enable your users to be automatically signed-in to SignalFx with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+* Control from Azure AD who has access to SignalFx;
+* Enable your users to be automatically signed-in to SignalFx with their Azure AD accounts; and
+* Manage your accounts in one location (the Azure portal).
 
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
+To learn more about SaaS application integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/what-is-single-sign-on).
 
 ## Prerequisites
 
-To get started, you need the following items:
+Before you begin, you will need:
 
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* SignalFx single sign-on (SSO) enabled subscription.
+* An Azure AD subscription
+	* If you do not have a subscription, you can obtain a [free account here](https://azure.microsoft.com/free/).
+* SignalFx single sign-on (SSO) enabled subscription
 
 ## Scenario description
 
-In this tutorial, you configure and test Azure AD SSO in a test environment.
+In this tutorial, you will configure and test Azure AD SSO in a test environment.
 
 * SignalFx supports **IDP** initiated SSO
 * SignalFx supports **Just In Time** user provisioning
+* Once you configure SignalFx you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
 
-## Adding SignalFx from the gallery
+## Step 1: Add the SignalFx application in Azure
 
-To configure the integration of SignalFx into Azure AD, you need to add SignalFx from the gallery to your list of managed SaaS apps.
+Use these instructions to add the SignalFx application to your list of managed SaaS apps.
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
-1. On the left navigation pane, select the **Azure Active Directory** service.
-1. Navigate to **Enterprise Applications** and then select **All Applications**.
-1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **SignalFx** in the search box.
-1. Select **SignalFx** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. Log into the [Azure portal](https://portal.azure.com).
+1. On the left-side navigation window, select **Azure Active Directory**.
+1. Select **Enterprise applications**, and then select **All applications**.
+1. Select **New application**.
+1. In the **Add from the gallery** section, in the search box, enter and select **SignalFx**.
+ 	* You may need to wait a few minutes for the application to be added to your tenant.
+1. Leave the Azure portal open, and then open a new web tab.	
 
-## Configure and test Azure AD single sign-on for SignalFx
+## Step 2: Begin SignalFx SSO configuration
 
-Configure and test Azure AD SSO with SignalFx using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SignalFx.
+Use these instructions to begin the configuration process for the SignalFx SSO.
 
-To configure and test Azure AD SSO with SignalFx, complete the following building blocks:
+1. In the newly opened tab, access and log into the SignalFx UI. 
+1. In the top menu, click **Integrations**. 
+1. In the search field, enter and select **Azure Active Directory**.
+1. Click **Create New Integration**.
+1. In **Name**, enter an easily recognizable name that your users will understand.
+1. Mark **Show on login page**.
+	* This feature will display a customized button in the login page that your users can click on. 
+	* The information you entered in **Name** will appear on the button. As a result, enter a **Name** that your users will recognize. 
+	* This option will only function if you use a custom subdomain for the SignalFx application, such as **yourcompanyname.signalfx.com**. To obtain a custom subdomain, contact SignalFx support. 
+1. Copy the **Integration ID**. You will need this information in a later step. 
+1. Leave the SignalFx UI open. 
 
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-    * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-    * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure SignalFx SSO](#configure-signalfx-sso)** - to configure the single sign-on settings on application side.
-    * **[Create SignalFx test user](#create-signalfx-test-user)** - to have a counterpart of B.Simon in SignalFx that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+## Step 3: Configure Azure AD SSO
 
-## Configure Azure AD SSO
+Use these instructions to enable Azure AD SSO in the Azure portal.
 
-Follow these steps to enable Azure AD SSO in the Azure portal.
-
-1. In the [Azure portal](https://portal.azure.com/), on the **SignalFx** application integration page, find the **Manage** section and select **single sign-on**.
+1. Return to the [Azure portal](https://portal.azure.com/), and on the **SignalFx** application integration page, locate the **Manage** section, and then select **Single sign-on**.
 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pen (edit) icon for **Basic SAML Configuration** to edit the settings.
 
    ![Edit Basic SAML Configuration](common/edit-urls.png)
 
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
-
-    a. In the **Identifier** text box, type a URL: `https://api.signalfx.com/v1/saml/metadata`
-
-    b. In the **Reply URL** text box, type a URL using the following pattern:
-    `https://api.signalfx.com/v1/saml/acs/<integration ID>`
+1. On the **Set up single sign-on with SAML** page, complete the following fields: 
 
-	> [!NOTE]
-	> The preceding value is not real value. You update the value with the actual Reply URL, which is explained later in the tutorial.
+    a. In **Identifier**, enter the following URL `https://api.<realm>.signalfx.com/v1/saml/metadata` and replace `<realm>` with your SignalFx realm. 
 
-1. SignalFx application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+    b. In **Reply URL**, enter the following URL `https://api.<realm>.signalfx.com/v1/saml/acs/<integration ID>` and replace `<realm>` with your SignalFx realm, as well as `<integration ID>` with the **Integration ID** you copied earlier from the SignalFx UI.
 
-	![image](common/default-attributes.png)
-
-1. In addition to above, SignalFx application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. SignalFx application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. 
+	
+1. Review and verify that the following claims map to the source attributes that are populated in the Active Directory. 
 
 	| Name |  Source Attribute|
 	| ------------------- | -------------------- |
@@ -101,93 +100,82 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 	| PersonImmutableID       | user.userprincipalname    |
 	| User.LastName       | user.surname    |
 
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+    > [!NOTE]
+    > This process requires that your Active Directory is configured with at least one verified custom domain, as well as has access to the email accounts in this domain. If you are unsure or need assistance with this configuration, please contact SignalFx support.  
 
-	![The Certificate download link](common/certificatebase64.png)
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)**, and then select **Download**. Download the certificate, and save it on your computer. Then, copy the **App Federation Metadata Url** value; you will need this information in a later step in the SignalFx UI. 
 
-1. On the **Set up SignalFx** section, copy the appropriate URL(s) based on your requirement.
+	![The Certificate download link](common/certificatebase64.png)
 
-	![Copy configuration URLs](common/copy-configuration-urls.png)
+1. On the **Set up SignalFx** section, copy the **Azure AD Identifier** value. You will need this information in a later step in the SignalFx UI. 
 
-### Create an Azure AD test user
+## Step 4: Create an Azure AD test user
 
-In this section, you'll create a test user in the Azure portal called B.Simon.
+Use these instructions to create a test user in the Azure portal called **B.Simon**.
 
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
-   1. In the **Name** field, enter `B.Simon`.  
-   1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
-   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+1. In the Azure portal, in the left-side navigation window, select **Azure Active Directory**, then select **Users**, and then select **All users**.
+1. At the top of the page, select **New user**.
+1. In the **User** properties:
+   1. In **User name**, enter `username@companydomain.extension`, such as `b.simon@contoso.com`.
+   1. In **Name**, enter `B.Simon`.
+   1. Mark **Show password**, and then copy the displayed value in **Password**. You will need this information in later step in order to test this integration. 
    1. Click **Create**.
 
-### Assign the Azure AD test user
+## Step 5: Assign the Azure AD test user
 
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SignalFx.
+Use these instructions to enable the test user to use Azure single sign-on for SignalFx.
 
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the Azure portal, select **Enterprise applications**, and then select **All applications**.
 1. In the applications list, select **SignalFx**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. In the app's overview page, find the **Manage** section, and then select **Users and groups**.
 
    ![The "Users and groups" link](common/users-groups-blade.png)
 
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. Select **Add user**, and then in the **Add Assignment** dialog box, select **Users and groups**.
 
 	![The Add User link](common/add-assign-user.png)
 
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
-
-## Configure SignalFx SSO
-
-1. Sign in to your SignalFx company site as administrator.
-
-1. In SignalFx, on the top click **Integrations** to open the Integrations page.
+1. In the **Users and groups** dialog box, from the **Users** list, select **B.Simon**, and then at the bottom of the page, click **Select**.
+1. If you are expecting any role value in the SAML assertion, then in the **Select Role** dialog box, select the appropriate role for the user from the list, and then click **Select** at the bottom of the page.
+1. In the **Add Assignment** dialog box, click the **Assign**.
 
-	![SignalFx Integration](./media/signalfx-tutorial/tutorial_signalfx_intg.png)
+## Step 6: Complete the SignalFx SSO configuration 
 
-1. Click on **Azure Active Directory** tile under **Login Services** section.
+1. Open the previous tab, and return to the SignalFx UI to view the current Azure Active Directory integration page. 
+1. Next to **Certificate (Base64)**, click **Upload File**, and then locate the **Base64 encoded certificate** file that you previously downloaded from Azure portal.
+1. Next to **Azure AD Identifier**, paste the **Azure AD Identifier** value that you copied earlier from the Azure portal. 
+1. Next to **Federation Metadata URL**, paste the **App Federation Metadata Url** value that you copied earlier from the Azure portal. 
+1. Click **Save**.
 
-	![SignalFx saml](./media/signalfx-tutorial/tutorial_signalfx_saml.png)
+## Step 7: Test SSO
 
-1. Click on **NEW INTEGRATION** and under the **INSTALL** tab perform the following steps:
+Review the following information regarding how to test SSO, as well as expectations for logging into SignalFx for the first time. 
 
-	![SignalFx samlintgpage](./media/signalfx-tutorial/tutorial_signalfx_azure.png)
+### Test logins
 
-	a. In the **Name** textbox type, a new integration name, like **OurOrgName SAML SSO**.
+* To test the login, you should use a private / incognito window, or you can log out of the Azure portal. If not, cookies for the user who configured the application will interfere and prevent a successful login with the test user.
 
-	b. Copy the **Integration ID** value and append to the **Reply URL** in the place of `<integration ID>` in the **Reply URL** textbox of **Basic SAML Configuration** section in Azure portal.
+* When a new test user logs in for the first time, Azure will force a password change. When this occurs, the SSO login process will not be completed; the test user will be directed to the Azure portal. To troubleshoot, the test user should change their password, and navigate to the SignalFx login page or to the Access Panel and try again.
+	* When you click the SignalFx tile in the Access Panel, you should be automatically logged into the SignalFx. 
+		* For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
 
-	c. Click on **Upload File** to upload the **Base64 encoded certificate** downloaded from Azure portal in the **Certificate** textbox.
+* SignalFx application can be accessed from the Access Panel or via a custom login page assigned to the organization. The test user should test the integration starting from either of these location.
+	* The test user can use the credentials created earlier in this process for **b.simon@contoso.com**.
 
-	d. In the **Issuer URL** textbox, paste the value of **Azure AD Identifier**, which you have copied from the Azure portal.
+### First-time logins
 
-	e. In the **Metadata URL** textbox, paste the **Login URL** which you have copied from the Azure portal.
+* When a user logs into SignalFx from the SAML SSO for the first time, the user will receive a SignalFx email with a link. The user must click the link for authentication purposes. This email validation will only take place for first-time users. 
 
-	f. Click **Save**.
-
-### Create SignalFx test user
-
-The objective of this section is to create a user called Britta Simon in SignalFx. SignalFx supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access SignalFx if it doesn't exist yet.
-
-When a user signs in to SignalFx from the SAML SSO for the first time, [SignalFx support team](mailto:kmazzola@signalfx.com) sends them an email containing a link that they must click through to authenticate. This will only happen the first time the user signs in; subsequent login attempts will not require email validation.
-
-> [!Note]
-> If you need to create a user manually, contact [SignalFx support team](mailto:kmazzola@signalfx.com)
-
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the SignalFx tile in the Access Panel, you should be automatically signed in to the SignalFx for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* SignalFx supports **Just In Time** user creation, which means that if a user does not exist in SignalFx, then the user's account will be created upon first login attempt.
 
 ## Additional resources
 
 - [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
 
-- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/what-is-single-sign-on)
 
 - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
 
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
 - [Try SignalFx with Azure AD](https://aad.portal.azure.com/)
