Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory-b2c/TOC.yml

@@ -265,6 +265,9 @@
       href: identity-provider-salesforce.md
     - name: Salesforce (SAML)
       href: identity-provider-salesforce-saml.md
+    - name: SwissID
+      href:  identity-provider-swissid.md
+      displayName: Swiss ID      
     - name: Twitter
       href: identity-provider-twitter.md
     - name: WeChat

articles/active-directory-b2c/add-identity-provider.md

@@ -47,6 +47,7 @@ You typically use only one identity provider in your applications, but you have
 * [QQ](identity-provider-qq.md)
 * [Salesforce](identity-provider-salesforce.md)
 * [Salesforce (SAML protocol)](identity-provider-salesforce-saml.md)
+* [SwissID]( identity-provider-swissid.md)
 * [Twitter](identity-provider-twitter.md)
 * [WeChat](identity-provider-wechat.md)
 * [Weibo](identity-provider-weibo.md)

articles/active-directory-b2c/identity-provider-swissid.md

@@ -0,0 +1,211 @@
+---
+title: Set up sign-up and sign-in with a SwissID account
+titleSuffix: Azure AD B2C
+description: Provide sign-up and sign-in to customers with SwissID accounts in your applications using Azure Active Directory B2C.
+services: active-directory-b2c
+author: kengaderdus
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 12/07/2021
+ms.author: kengaderdus
+ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
+---
+
+# Set up sign-up and sign-in with a SwissID account using Azure Active Directory B2C
+
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+In this article, you learn how to provide sign-up and sign-in to customers with [SwissID](https://www.swissid.ch/) accounts in your applications using Azure Active Directory B2C (Azure AD B2C). You add the SwissID to your user flows or custom policy using OpenID Connect protocol. For more information, see [SwissID Integration Guidelines – OpenID Connect](https://www.swissid.ch/dam/jcr:471f63c6-606e-4c04-be02-afc99f4d2612).
+
+## Prerequisites
+
+[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
+
+## Create a SwissID application
+
+To enable sign-in for users with a SwissID account in Azure AD B2C, you need to create an application. To create SwissID application, follow these steps:
+
+1. Contact [SwissID Business Partner support](https://www.swissid.ch/en/b2b-kontakt.html).
+1. After the sign up with SwissID, provide information about your Azure AD B2C tenant:
+
+
+    |Key  |Note  |
+    |---------|---------|
+    |Redirect URI     | Provide the `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` URI. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. |
+    |Token endpoint authentication method|  `client_secret_post`|
+
+
+1. After the app is registered, the following information will be provided by the SwissID. Use this information to configure your user flow, or custom policy.
+
+
+    |Key  |Note  |
+    |---------|---------|
+    | Environment| The SwissID OpenId well-known configuration endpoint. For example, <https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration>. |
+    | Client ID | The SwissID client ID. For example, 11111111-2222-3333-4444-555555555555. |
+    | Password| The SwissID client secret.| 
+
+
+::: zone pivot="b2c-user-flow"
+
+## Configure SwissID as an identity provider
+
+1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.
+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+1. Select **Identity providers**, and then select **New OpenID Connect provider**.
+1. Enter a **Name**. For example, enter *SwissID*.
+1. For **Metadata url**, enter the URL SwissID OpenId well-known configuration endpoint. For example:
+
+    ```http
+    https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration
+    ```
+
+1. For **Client ID**, enter the SwissID Client ID.
+1. For **Client secret**, enter the SwissID client secret.
+1. For the **Scope**, enter the `openid profile email`.
+1. Leave the default values for **Response type**, and **Response mode**.
+1. (Optional) For the **Domain hint**, enter `swissid.com`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Under **Identity provider claims mapping**, select the following claims:
+
+    - **User ID**: *sub*
+    - **Given name**: *given_name*
+    - **Surname**: *family_name*
+    - **Email**: *email*
+
+1. Select **Save**.
+
+## Add SwissID identity provider to a user flow 
+
+At this point, the SwissID identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the SwissID identity provider to a user flow:
+
+1. In your Azure AD B2C tenant, select **User flows**.
+1. Click the user flow that you want to add the SwissID identity provider.
+1. Under the **Social identity providers**, select **SwissID**.
+1. Select **Save**.
+1. To test your policy, select **Run user flow**.
+1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run user flow** button.
+1. From the sign-up or sign-in page, select **SwissID** to sign in with SwissID account.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
+## Create a policy key
+
+You need to store the client secret that you received from SwissID in your Azure AD B2C tenant.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your tenant.
+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+4. On the Overview page, select **Identity Experience Framework**.
+5. Select **Policy Keys** and then select **Add**.
+6. For **Options**, choose `Manual`.
+7. Enter a **Name** for the policy key. For example, `SwissIDSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
+8. In **Secret**, enter your SwissID client secret.
+9. For **Key usage**, select `Signature`.
+10. Click **Create**.
+
+## Configure SwissID as an identity provider
+
+To enable users to sign in using a SwissID account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
+
+You can define a SwissID account as a claims provider by adding it to the **ClaimsProviders** element in the extension file of your policy.
+
+1. Open the *TrustFrameworkExtensions.xml*.
+2. Find the **ClaimsProviders** element. If it does not exist, add it under the root element.
+3. Add a new **ClaimsProvider** as follows:
+
+    ```xml
+    <ClaimsProvider>
+      <Domain>SwissID.com</Domain>
+      <DisplayName>SwissID</DisplayName>
+      <TechnicalProfiles>
+        <TechnicalProfile Id="SwissID-OpenIdConnect">
+          <DisplayName>SwissID</DisplayName>
+          <Protocol Name="OpenIdConnect" />
+          <Metadata>
+            <Item Key="METADATA">https://login.sandbox.pre.swissid.ch/idp/oauth2/.well-known/openid-configuration</Item>
+            <Item Key="client_id">Your Swiss client ID</Item>
+            <Item Key="response_types">code</Item>
+            <Item Key="scope">openid profile email</Item>
+            <Item Key="response_mode">form_post</Item>
+            <Item Key="HttpBinding">POST</Item>
+            <Item Key="UsePolicyInRedirectUri">false</Item>
+          </Metadata>
+          <CryptographicKeys>
+            <Key Id="client_secret" StorageReferenceId="B2C_1A_SwissIDSecret" />
+          </CryptographicKeys>
+          <OutputClaims>
+            <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
+            <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
+            <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
+            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
+            <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
+            <OutputClaim ClaimTypeReferenceId="email" />
+          </OutputClaims>
+          <OutputClaimsTransformations>
+            <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
+            <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
+            <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
+            <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
+            <OutputClaimsTransformation ReferenceId="CreateDisplayName" />
+          </OutputClaimsTransformations>
+          <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
+        </TechnicalProfile>
+      </TechnicalProfiles>
+    </ClaimsProvider>
+    ```
+
+4. Set **client_id** to the SwissID client ID.
+5. Save the file.
+
+[!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]
+
+
+```xml
+<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
+  <ClaimsProviderSelections>
+    ...
+    <ClaimsProviderSelection TargetClaimsExchangeId="SwissIDExchange" />
+  </ClaimsProviderSelections>
+  ...
+</OrchestrationStep>
+
+<OrchestrationStep Order="2" Type="ClaimsExchange">
+  ...
+  <ClaimsExchanges>
+    <ClaimsExchange Id="SwissIDExchange" TechnicalProfileReferenceId="SwissID-OpenIdConnect" />
+  </ClaimsExchanges>
+</OrchestrationStep>
+```
+
+[!INCLUDE [active-directory-b2c-configure-relying-party-policy](../../includes/active-directory-b2c-configure-relying-party-policy-user-journey.md)]
+
+## Test your custom policy
+
+1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run now** button.
+1. From the sign-up or sign-in page, select **SwissID** to sign in with SwissID account.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+
+::: zone-end
+
+## Move to production
+
+SwissID IdP provides Pre-production and Production environments. The configuration described in this article uses the pre-production environment. To use the production environment, follow these steps:
+
+1. Contact SwissId support for a production environment.
+1. Update your user flow or custom policy with the URI of the well-known configuration endpoint. 
+
+## Next steps
+
+Learn how to [pass SwissID token to your application](idp-pass-through-user-flow.md).

articles/active-directory-b2c/partner-haventec.md

@@ -2,7 +2,6 @@
 title: Tutorial to configure Azure Active Directory B2C with Haventec
 titleSuffix: Azure AD B2C
 description: Learn how to integrate Azure AD B2C authentication with Haventec for multifactor passwordless authentication
-services: active-directory-b2c
 author: gargi-sinha
 manager: martinco
 ms.service: active-directory
@@ -52,13 +51,13 @@ To get started, you'll need:
 - An Azure AD subscription. If you don\'t have one, get a [free
   account](https://azure.microsoft.com/free/).
 
-- An [Azure AD B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-create-tenant) that is linked to your Azure subscription.
+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
 
 - A Haventec Authenticate [demo environment](https://www.haventec.com/products/get-started).
 
 ### Part - 1 Create an application registration in Haventec
 
-If you haven't already done so, [register](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications) a web application, and [enable ID token implicit grant](https://docs.microsoft.com/azure/active-directory-b2c/tutorial-register-applications#enable-id-token-implicit-grant).
+If you haven't already done so, [register](tutorial-register-applications.md) a web application, and [enable ID token implicit grant](tutorial-register-applications.md#enable-id-token-implicit-grant).
 
 ### Part - 2 Add a new Identity provider in Azure AD B2C
 
@@ -95,7 +94,7 @@ To configure an identity provider, follow these steps:
 
 3. Select **OK**.
 
-4. Select **Map this identity provider’s claims**.
+4. Select **Map this identity provider's claims**.
 
 5. Fill out the form to map the Identity provider:
 
@@ -159,6 +158,6 @@ For additional information, review the following articles:
 
 - [Haventec](https://docs.haventec.com/) documentation
 
-- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+- [Custom policies in Azure AD B2C](custom-policy-overview.md)
 
-- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](custom-policy-get-started.md?tabs=applications)

articles/active-directory/app-provisioning/known-issues.md

@@ -4,7 +4,6 @@ description: Learn about known issues when you work with automated application p
 author: kenwith
 ms.author: kenwith
 manager: karenh444
-services: active-directory
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
@@ -117,7 +116,7 @@ The following attributes and objects aren't supported:
    - Groups.
    - Complex anchors (for example, ObjectTypeName+UserName).
    - Binary attributes.
-   - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview does not support password synchronization. Provisioning initial one-time passwords is supported. Please ensure that you are using the [Redact](https://docs.microsoft.com/azure/active-directory/app-provisioning/functions-for-customizing-application-data#redact) function to redact the passwords from the logs. In the SQL and LDAP connectors, the passwords are not exported on the initial call to the application, but rather a second call with set password.   
+   - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview does not support password synchronization. Provisioning initial one-time passwords is supported. Please ensure that you are using the [Redact](/azure/active-directory/app-provisioning/functions-for-customizing-application-data#redact) function to redact the passwords from the logs. In the SQL and LDAP connectors, the passwords are not exported on the initial call to the application, but rather a second call with set password.   
 
 #### SSL certificates
    The Azure AD ECMA Connector Host currently requires either an SSL certificate to be trusted by Azure or the provisioning agent to be used. The certificate subject must match the host name the Azure AD ECMA Connector Host is installed on.

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -1,7 +1,6 @@
 ---
 title: Azure AD on-premises app provisioning to SCIM-enabled apps
 description: This article describes how to use the Azure AD provisioning service to provision users into an on-premises app that's SCIM enabled.
-services: active-directory
 author: billmath
 manager: karenh444
 ms.service: active-directory
@@ -39,7 +38,7 @@ To provision users to SCIM-enabled apps:
  1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
  1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
      ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials. Use the steps [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot#troubleshoot-test-connection-issues) if you run into connectivity issues. 
+ 1. Select **Test Connection**, and save the credentials. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
  1. Test provisioning a few users [on demand](provision-on-demand.md).

articles/active-directory/app-provisioning/user-provisioning.md

@@ -1,7 +1,6 @@
 ---
 title: What is automated SaaS app user provisioning in Azure Active Directory
 description: An introduction to how you can use Azure Active Directory to automatically provision, de-provision, and continuously update user accounts across multiple third-party SaaS applications.
-services: active-directory
 author: kenwith
 manager: karenh444
 ms.service: active-directory
@@ -21,7 +20,7 @@ In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto
 
 Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and more.
 
-Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-scim-provisioning) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure) user store or a [SQL](https://docs.microsoft.com/azure/active-directory/app-provisioning/tutorial-ecma-sql-connector) database, Azure AD can support those as well. 
+Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](/azure/active-directory/app-provisioning/on-premises-scim-provisioning) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure) user store or a [SQL](/azure/active-directory/app-provisioning/tutorial-ecma-sql-connector) database, Azure AD can support those as well. 
 
 App provisioning lets you: