MicrosoftDocs
diff --git a/‎articles/active-directory/saas-apps/lms-and-education-management-system-leaf-tutorial.md
Lines changed: 31 additions & 5 deletions b/‎articles/active-directory/saas-apps/lms-and-education-management-system-leaf-tutorial.md
Lines changed: 31 additions & 5 deletions
diff --git a/‎articles/active-directory/saas-apps/media/lms-and-education-management-system-leaf-tutorial/create-test-user.png
231 KB b/‎articles/active-directory/saas-apps/media/lms-and-education-management-system-leaf-tutorial/create-test-user.png
231 KB
diff --git a/‎articles/active-directory/saas-apps/media/lms-and-education-management-system-leaf-tutorial/name-identifier.png
11 KB b/‎articles/active-directory/saas-apps/media/lms-and-education-management-system-leaf-tutorial/name-identifier.png
11 KB
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 06/27/2022
+ms.date: 08/16/2022
 ms.author: jeedes
 
 ---
@@ -36,7 +36,6 @@ For more information, see [Azure built-in roles](../roles/permissions-reference.
 In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * LMS and Education Management System Leaf supports **SP** initiated SSO.
-* LMS and Education Management System Leaf supports **Just In Time** user provisioning.
 
 ## Add LMS and Education Management System Leaf from the gallery
 
@@ -81,11 +80,15 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     `https://<SUBDOMAIN>.leaf-hrm.jp/loginusers/acs`   
 
     c. In the **Sign on URL** text box, type a URL using the following pattern:
-    `https://<SUBDOMAIN>.leaf-hrm.jp/`
+    `https://<SUBDOMAIN>.leaf-hrm.jp/loginusers/sso/1`
 
     > [!Note]
     > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [LMS and Education Management System Leaf support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
+1. Your LMS and Education Management System Leaf application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but LMS and Education Management System Leaf expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+	![image](common/default-attributes.png)
+
 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
 
     ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
@@ -124,7 +127,30 @@ To configure single sign-on on **LMS and Education Management System Leaf** side
 
 ### Create LMS and Education Management System Leaf test user
 
-In this section, a user called B.Simon is created in LMS and Education Management System Leaf. LMS and Education Management System Leaf supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in LMS and Education Management System Leaf, a new one is created after authentication.
+1. Log in as the Leaf system administrator user. From the **User tab** of **Master Maintenance**, create a user with a login ID of `leaftest`.
+2. From the User tab of Master Maintenance, click the **SSO Information Bulk Registration** button.
+3. Click the **Registration CSV** button to download the registration CSV.
+4. Open the downloaded CSV, enter (Leaf) login ID, nameID format, authentication server, and save.
+
+    ![Screenshot for Registration CSV.](./media/lms-and-education-management-system-leaf-tutorial/create-test-user.png)
+
+    ![Screenshot for Name ID.](./media/lms-and-education-management-system-leaf-tutorial/name-identifier.png)
+
+    a. Please enter `leaftest` in the **(Leaf) Login ID** column.
+
+    b. In the Authentication Server column, enter the value corresponding to the Authentication Server in the above figure.
+
+    c. In the NameID format column, enter the value corresponding to **NameID format**.
+
+    d.Enter **leaftest@company。.extension** in the [NameID] column.
+
+5. Click the **Select File** button and select the CSV you edited earlier.
+6. Click the **Upload** button.
+
+> [!NOTE]
+> As a way to associate with Leaf, the login ID (user) on which Leaf is linked with the NameID (user) 
+and NameID format (format) on which IdP (authentication server) is specified.
+
 
 ## Test SSO 
 
@@ -138,4 +164,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure LMS and Education Management System Leaf you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure LMS and Education Management System Leaf you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).