Merge pull request #106887 from yoelhor/patch-11

Update connect-with-saml-service-providers.md

Author: ktoliver

articles/active-directory-b2c/TOC.yml

@@ -329,6 +329,8 @@
             href: restful-technical-profile.md
           - name: SAML
             href: saml-technical-profile.md
+          - name: SAML token issuer
+            href: saml-issuer-technical-profile.md
           - name: Self-asserted
             href: self-asserted-technical-profile.md
           - name: SSO session

articles/active-directory-b2c/connect-with-saml-service-providers.md

@@ -109,7 +109,7 @@ Next, upload the SAML assertion and response signing certificate to Azure AD B2C
 
 ### 2.1 Create the SAML token issuer
 
-Now, add the capability for your tenant to issue SAML tokens.
+Now, add the capability for your tenant to issue SAML tokens, using [SAML token issuer](saml-issuer-technical-profile.md) and [SAML session provider](custom-policy-reference-sso.md#samlssosessionprovider) technical profiles.
 
 Open `SocialAndLocalAccounts\`**`TrustFrameworkExtensions.xml`** in the custom policy starter pack.
 
@@ -293,7 +293,7 @@ The metadata is information used in the SAML protocol to expose the configuratio
 
 If there are properties specified in *both* the SAML metadata URL and in the application registration's manifest, they are **merged**. The properties specified in the metadata URL are processed first and take precedence.
 
-For this tutorial which uses the SAML test application, use the following value for `samlMetadataUrl`:
+For this tutorial, which uses the SAML test application, use the following value for `samlMetadataUrl`:
 
 ```JSON
 "samlMetadataUrl":"https://samltestapp2.azurewebsites.net/Metadata",
@@ -320,7 +320,7 @@ For this tutorial, in which you use the SAML test application, set the `url` pro
 
 This optional property represents the `Logout` URL (`SingleLogoutService` URL in the relying party metadata), and the `BindingType` for this is assumed to be `Http-Redirect`.
 
-For this tutorial which uses the SAML test application, leave `logoutUrl` set to `https://samltestapp2.azurewebsites.net/logout`:
+For this tutorial, which uses the SAML test application, leave `logoutUrl` set to `https://samltestapp2.azurewebsites.net/logout`:
 
 ```JSON
 "logoutUrl": "https://samltestapp2.azurewebsites.net/logout",

articles/active-directory-b2c/custom-policy-reference-sso.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/02/2020
+ms.date: 03/09/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -20,7 +20,7 @@ ms.subservice: B2C
 
 Single sign-on (SSO) session management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. For example, the administrator can control whether the selection of identity providers is displayed, or whether local account details need to be entered again. This article describes how to configure the SSO settings for Azure AD B2C.
 
-SSO session management has two parts. The first deals with the user's interactions directly with Azure AD B2C and the other deals with the user's interactions with external parties such as Facebook. Azure AD B2C does not override or bypass SSO sessions that might be held by external parties. Rather the route through Azure AD B2C to get to the external party is “remembered”, avoiding the need to reprompt the user to select their social or enterprise identity provider. The ultimate SSO decision remains with the external party.
+SSO session management has two parts. The first deals with the user's interactions directly with Azure AD B2C and the other deals with the user's interactions with external parties such as Facebook. Azure AD B2C does not override or bypass SSO sessions that might be held by external parties. Rather the route through Azure AD B2C to get to the external party is "remembered", avoiding the need to reprompt the user to select their social or enterprise identity provider. The ultimate SSO decision remains with the external party.
 
 SSO session management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a `UseTechnicalProfileForSessionManagement` reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.
 
@@ -134,7 +134,7 @@ This provider is used for managing the Azure AD B2C SAML sessions between a rely
 
 When using the provider for storing the B2C SAML session, the `RegisterServiceProviders` must set to `true`. SAML session logout requires the `SessionIndex` and `NameID` to complete.
 
-The following `SM-Saml-idp` technical profile is used by [SAML issuer technical profile](connect-with-saml-service-providers.md)
+The following `SM-Saml-idp` technical profile is used by [SAML issuer technical profile](saml-issuer-technical-profile.md)
 
 ```XML
 <TechnicalProfile Id="SM-Saml-sp">

articles/active-directory-b2c/saml-issuer-technical-profile.md

@@ -0,0 +1,80 @@
+---
+title: Define a technical profile for a SAML issuer in a custom policy
+titleSuffix: Azure AD B2C
+description: Define a technical profile for a Security Assertion Markup Language token (SAML) issuer in a custom policy in Azure Active Directory B2C.
+services: active-directory-b2c
+author: msmimart
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: reference
+ms.date: 03/09/2020
+ms.author: mimart
+ms.subservice: B2C
+---
+
+# Define a technical profile for a SAML token issuer in an Azure Active Directory B2C custom policy
+
+[!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
+
+Azure Active Directory B2C (Azure AD B2C) emits several types of security tokens as it processes each authentication flow. A technical profile for a SAML token issuer emits a SAML token that is returned back to the relying party application (service provider). Usually this technical profile is the last orchestration step in the user journey.
+
+## Protocol
+
+The **Name** attribute of the **Protocol** element needs to be set to `None`. Set the **OutputTokenFormat** element to `SAML2`.
+
+The following example shows a technical profile for `Saml2AssertionIssuer`:
+
+```XML
+<TechnicalProfile Id="Saml2AssertionIssuer">
+  <DisplayName>Token Issuer</DisplayName>
+  <Protocol Name="None"/>
+  <OutputTokenFormat>SAML2</OutputTokenFormat>
+  <Metadata>
+    <Item Key="IssuerUri">https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/B2C_1A_signup_signin_SAML</Item>
+  </Metadata>
+  <CryptographicKeys>
+    <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
+    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
+  </CryptographicKeys>
+  <InputClaims/>
+  <OutputClaims/>
+  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-sp"/>
+</TechnicalProfile>
+```
+
+## Input, output, and persist claims
+
+The **InputClaims**, **OutputClaims**, and **PersistClaims** elements are empty or absent. The **InutputClaimsTransformations** and **OutputClaimsTransformations** elements are also absent.
+
+## Metadata
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| IssuerUri | No | The issuer name that appears in the SAML response. The value should be the same name as configured in the relying party application. |
+
+## Cryptographic keys
+
+The CryptographicKeys element contains the following attributes:
+
+| Attribute | Required | Description |
+| --------- | -------- | ----------- |
+| MetadataSigning | Yes | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata. |
+| SamlMessageSigning| Yes| Specify the X509 certificate (RSA key set) to use to sign SAML messages. Azure AD B2C uses this key to signing the response `<samlp:Response>` send to the relying party.|
+
+## Session management
+
+To configure the Azure AD B2C SAML sessions between a relying party application, the attribute of the `UseTechnicalProfileForSessionManagement` element, reference to [SamlSSOSessionProvider](custom-policy-reference-sso.md#samlssosessionprovider) SSO session.
+
+
+
+
+
+
+
+
+
+
+
+