Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-custom-roles-management-group-scope-ga-update

Author: rolyon

articles/active-directory/fundamentals/whats-new.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with FCM HUB'
+title: 'Tutorial: Azure Active Directory SSO integration with FCM HUB'
 description: Learn how to configure single sign-on between Azure Active Directory and FCM HUB.
 services: active-directory
 author: jeevansd
@@ -9,13 +9,13 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 04/19/2023
 ms.author: jeedes
 ---
 
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with FCM HUB
+# Tutorial: Azure Active Directory SSO integration with FCM HUB
 
-In this tutorial, you'll learn how to integrate FCM HUB with Azure Active Directory (Azure AD). When you integrate FCM HUB with Azure AD, you can:
+In this tutorial, you learn how to integrate FCM HUB with Azure Active Directory (Azure AD). When you integrate FCM HUB with Azure AD, you can:
 
 * Control in Azure AD who has access to FCM HUB.
 * Enable your users to be automatically signed-in to FCM HUB with their Azure AD accounts.
@@ -91,7 +91,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
    - **Source Attribute**: PortalID, value provided by FCM
 
 1. In the **SAML Signing Certificate** section, use the edit option to select or enter the following settings, and then select **Save**:
-   - **Signing Option**: Sign SAML response
+   - **Signing Option**: Sign SAML response and Assertion
    - **Signing Algorithm**: SHA-256
 
 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

articles/active-directory/saas-apps/fcm-hub-tutorial.md

@@ -9,14 +9,14 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/06/2023
+ms.date: 04/19/2023
 ms.author: jeedes
 
 ---
 
 # Azure Active Directory SSO integration with HashiCorp Cloud Platform (HCP)
 
-In this article, you learn how to integrate HashiCorp Cloud Platform (HCP) with Azure Active Directory (Azure AD). HashiCorp Cloud platform hosting managed services of the developer tools created by HashiCorp, such Terraform, Vault, Boundary, and Consul. When you integrate HashiCorp Cloud Platform (HCP) with Azure AD, you can:
+In this article, you learn how to integrate HashiCorp Cloud Platform (HCP) with Azure Active Directory (Azure AD). HashiCorp Cloud Platform hosting managed services of the developer tools created by HashiCorp, such Terraform, Vault, Boundary, and Consul. When you integrate HashiCorp Cloud Platform (HCP) with Azure AD, you can:
 
 * Control in Azure AD who has access to HashiCorp Cloud Platform (HCP).
 * Enable your users to be automatically signed-in to HashiCorp Cloud Platform (HCP) with their Azure AD accounts.
@@ -31,7 +31,7 @@ To integrate Azure Active Directory with HashiCorp Cloud Platform (HCP), you nee
 * An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* HashiCorp Cloud Platform (HCP) single sign-on (SSO) enabled subscription.
+* HashiCorp Cloud Platform (HCP) single sign-on (SSO) enabled organization.
 
 ## Add application and assign a test user
 
@@ -69,7 +69,7 @@ Complete the following steps to enable Azure AD single sign-on in the Azure port
     `https://portal.cloud.hashicorp.com/sign-in?conn-id=HCP-SSO-<HCP_ORG_ID>-samlp`
 
     > [!NOTE]
-    > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [HashiCorp Cloud Platform (HCP) Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+    > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. These values are also pregenerated for you on the "Setup SAML SSO" page within your Organization settings in HashiCorp Cloud Platform (HCP). For more information SAML documentation is provided on [HashiCorp's Developer site](https://developer.hashicorp.com/hcp/docs/hcp/security/sso/sso-aad). Contact [HashiCorp Cloud Platform (HCP) Client support team](mailto:[email protected]) for any questions about this process. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
 
@@ -81,26 +81,17 @@ Complete the following steps to enable Azure AD single sign-on in the Azure port
 
 ## Configure HashiCorp Cloud Platform (HCP) SSO
 
-To configure single sign-on on **HashiCorp Cloud Platform (HCP)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [HashiCorp Cloud Platform (HCP) support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create HashiCorp Cloud Platform (HCP) test user
-
-In this section, you create a user called Britta Simon at HashiCorp Cloud Platform (HCP). Work with [HashiCorp Cloud Platform (HCP) support team](mailto:[email protected]) to add the users in the HashiCorp Cloud Platform (HCP) platform. Users must be created and activated before you use single sign-on.
+To configure single sign-on on the **HashiCorp Cloud Platform (HCP)** side, you need to add a verification record TXT to your domain host, add the downloaded **Certificate (Base64)** and **Login URL** copied from Azure portal to your HashiCorp Cloud Platform (HCP) Organization "Setup SAML SSO" page. Please refer to the SAML documentation that is provided on [HashiCorp's Developer site](https://developer.hashicorp.com/hcp/docs/hcp/security/sso/sso-aad). Contact [HashiCorp Cloud Platform (HCP) Client support team](mailto:[email protected]) for any questions about this process.
 
 ## Test SSO 
 
-In this section, you test your Azure AD single sign-on configuration with following options. 
-
-* Click on **Test this application** in Azure portal. This will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL where you can initiate the login flow. 
-
-* Go to HashiCorp Cloud Platform (HCP) Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you select the HashiCorp Cloud Platform (HCP) tile in the My Apps, this will redirect to HashiCorp Cloud Platform (HCP) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+In the previous [Create and assign Azure AD test user](#create-and-assign-azure-ad-test-user) section, you created a user called B.Simon and assigned it to the HashiCorp Cloud Platform (HCP) app within the Azure Portal. This can now be used for testing the SSO connection. You may also use any account that is already associated with the HashiCorp Cloud Platform (HCP) app in the Azure Portal. 
 
 ## Additional resources
 
 * [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
 * [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).
+* [HashiCorp Cloud Platform (HCP) | Azure Active Directory SAML SSO Configuration](https://developer.hashicorp.com/hcp/docs/hcp/security/sso/sso-aad).
 
 ## Next steps
 

articles/active-directory/saas-apps/hashicorp-cloud-platform-hcp-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/06/2023
+ms.date: 04/20/2023
 ms.author: jeedes
 
 ---
@@ -69,25 +69,34 @@ Complete the following steps to enable Azure AD single sign-on in the Azure port
 
 	c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.
 
-	d. If you wish to configure the application in **SP** initiated mode, then perform the following step:
+	d. Enter the customer code/key provided by 360factors in **Relay State** textbox. Make sure the code is entered in lowercase. This is required for **IDP** initiated mode.
+	
+	> [!Note]
+	> You will get the **Service Provider metadata file** from the [Predict360 SSO support team](mailto:[email protected]). If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
+
+	e. If you wish to configure the application in **SP** initiated mode, then perform the following step:
 
-    In the **Sign on URL** textbox, type the URL:
-    `https://paadt.360factors.com/predict360/login.do`.
+    In the **Sign on URL** textbox, type your customer specific URL using the following pattern:  
+    `https://<customer-key>.360factors.com/predict360/login.do`
 
 	> [!Note]
-	> You will get the **Service Provider metadata file** from the [Predict360 SSO support team](mailto:[email protected]). If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
+	> This URL is shared by 360factors team. `<customer-key>` is replaced with your customer key, which is also provide by 360factors team.
 
 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
 
     ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
 
+1. Find **Certificate (Raw)** in the **SAML Signing Certificate** section, and select **Download** to download the certificate and save it on your computer.
+
+	![Screenshot shows the Certificate Raw download link.](common/certificateraw.png " Raw Certificate")
+
 1. On the **Set up Predict360 SSO** section, copy the appropriate URL(s) based on your requirement.
 
 	![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata")
 
-## Configure Predict360 SSO SSO
+## Configure Predict360 SSO
 
-To configure single sign-on on **Predict360 SSO** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Predict360 SSO support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Predict360 SSO** side, you need to send the downloaded **Federation Metadata XML**, **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Predict360 SSO support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create Predict360 SSO test user
 

articles/active-directory/saas-apps/predict360-sso-tutorial.md

@@ -85,6 +85,13 @@
               href: /security/benchmark/azure/baselines/api-management-security-baseline?toc=/azure/api-management/&bc=/azure/api-management/breadcrumb/toc.json
             - name: Authentication and authorization options
               href: authentication-authorization-overview.md
+            - name: API security
+              items:
+              - name: Defender for APIs (preview)
+                href: protect-with-defender-for-apis.md              
+              - name: Mitigate OWASP API threats
+                href: mitigate-owasp-api-threats.md
+                displayName: OWASP top 10, vulnerability, vulnerabilities
       - name: API authorizations
         href: authorizations-overview.md
         displayName: OAuth
@@ -298,10 +305,7 @@
               href: api-management-howto-manage-protocols-ciphers.md
             - name: Defend against DDoS attacks
               href: protect-with-ddos-protection.md
-            - name: Mitigate OWASP API threats
-              href: mitigate-owasp-api-threats.md
-              displayName: OWASP top 10, vulnerability, vulnerabilities
-          - name: Configure API authorizations for OAuth 2.0 backends
+          - name: Manage API authorizations
             items:
             - name: Configure common authorization providers
               href: authorizations-configure-common-providers.md

articles/api-management/TOC.yml

@@ -76,6 +76,7 @@ The following table compares features available in the managed gateway versus th
 | [TLS settings](api-management-howto-manage-protocols-ciphers.md) |  ✔️ | ✔️ | ✔️ |
 | **HTTP/2** (Client-to-gateway) |  ❌ | ❌ | ✔️ |
 | **HTTP/2** (Gateway-to-backend) |  ❌ | ❌ | ✔️ |
+| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ |  ❌ | ❌ | 
 
 <sup>1</sup> Depends on how the gateway is deployed, but is the responsibility of the customer.<br/>
 <sup>2</sup> Connectivity to the self-hosted gateway v2 [configuration endpoint](self-hosted-gateway-overview.md#fqdn-dependencies) requires DNS resolution of the default endpoint hostname; custom domain name is currently not supported.<br/>