Merge pull request #220932 from v-edmckillop/patch-41

Court72 · web-flow · commit cd77b63c7977 · 2023-01-03T15:05:29.000-07:00
Update partner-onfido.md
diff --git a/articles/active-directory-b2c/partner-onfido.md b/articles/active-directory-b2c/partner-onfido.md
@@ -4,167 +4,158 @@ titleSuffix: Azure AD B2C
 description: Learn how to integrate Azure AD B2C authentication with Onfido for document ID and facial biometrics verification 
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/03/2020
+ms.date: 12/8/2022
 ms.author: gasinh
 ms.subservice: B2C
 ---
 
 # Tutorial for configuring Onfido with Azure Active Directory B2C
 
-In this sample tutorial, we provide guidance on how to integrate Azure AD B2C with [Onfido](https://onfido.com/). Onfido is a document ID and facial biometrics verification app. It allows companies to meet *Know Your Customer* and identity requirements in real time. Onfido uses sophisticated AI-based identity verification, which first verifies a photo ID, then matches it against their facial biometrics. This solution ties a digital identity to their real-world person and provides a safe onboarding experience while reducing fraud.
+In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with [Onfido](https://onfido.com/), a document ID and facial biometrics verification app. Use it to meet *Know Your Customer* and identity requirements. Onfido uses artificial intelligence (AI) technology that verifies identity by matching a photo ID with facial biometrics. The solution connects a digital identity to a person, provides a reliable onboarding experience, and helps reduce fraud.
 
-In this sample, we connect Onfido's service in the sign-up or login flow to do identity verification. Informed decisions about which product and service the user can access is made based on Onfido's results.
+In this tutorial, you'll enable the Onfido service to verify identity in the sign-up, or sign-in, flow. Onfido results inform decisions about which products or services the user accesses.
 
 ## Prerequisites
 
 To get started, you'll need:
 
-- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-
-- [An Azure AD B2C tenant](./tutorial-create-tenant.md) that is linked to your Azure subscription.
-
-- An Onfido [trial account](https://onfido.com/signup/).
+- An Azure AD subscription
+  - If you don't have on, you can get an [Azure free account](https://azure.microsoft.com/free/)
+- [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription
+- An Onfido trial account
+  - Go to onfido.com [Contact us](https://onfido.com/signup/) and fill out the form
 
 ## Scenario description
 
 The Onfido integration includes the following components:
 
-- Azure AD B2C tenant – The authorization server, responsible for verifying the user's credentials based on custom policies defined in the tenant. It's also known as the identity provider. It hosts the Onfido client app, which collects the user documents and transmits it to the Onfido API service.
+- **Azure AD B2C tenant** – The authorization server that verifies user credentials based on custom policies defined in the tenant. It's also known as the identity provider (IdP). It hosts the Onfido client app, which collects the user documents and transmits them to the Onfido API service.
+- **Onfido client** – A configurable, JavaScript client document-collection utility deployed in webpages. It checks details such as document size and quality.
+- **Intermediate REST API** – Provides endpoints for the Azure AD B2C tenant to communicate with the Onfido API service. It handles data processing and adheres to security requirements of both.
+- **Onfido API service** – The back-end service, which saves and verifies user documents.
 
-- Onfido client – A configurable JavaScript client document collection utility deployed within other webpages. Collects the documents and does preliminary checks like document size and quality.
+The following architecture diagram shows the implementation.
 
-- Intermediate REST API – Provides endpoints for the Azure AD B2C tenant to communicate with the Onfido API service, handling data processing and adhering to the security requirements of both.
+   ![Onfido architecture diagram.](media/partner-onfido/onfido-architecture-diagram.png)
 
-- Onfido API service – The backend service provided by Onfido, which saves and verifies the documents provided by the user.
 
-The following architecture diagram shows the implementation.
+1. User signs up to create a new account and enters attributes. Azure AD B2C collects the attributes. Onfido client app hosted in Azure AD B2C checks for the user information.
+2. Azure AD B2C calls the middle layer API and passes the attributes.
+3. Middle layer API collects attributes and converts them to an Onfido API format.
+4. Onfido processes attributes to validate user identification and sends result to the middle layer API.
+5. Middle layer API processes the results and sends relevant information to Azure AD B2C, in JavaScript Object Notation (JSON) format.
+6. Azure AD B2C receives the information. If the response fails, an error message appears. If the response succeeds, the user is authenticated and written into the directory.
 
-![screenshot for onfido-architecture-diagram](media/partner-onfido/onfido-architecture-diagram.png)
+## Create an Onfido account
 
-|Step | Description |
-|:-----| :-----------|
-| 1. | User arrives at a login page. User signs-up to create a new account and enters information into the page. Azure AD B2C collects the user attributes. Onfido client app hosted in Azure AD B2C does preliminary checks for the user information.
-| 2. | Azure AD B2C calls the middle layer API and passes on the user attributes.
-| 3. | Middle layer API collects user attributes and transforms it into a format that Onfido API could consume. Then, sends it to Onfido.
-| 4. | Onfido consumes the information and processes it to validate user identification. Then, it returns the result to the middle layer API.
-| 5. | Middle layer API processes the information and sends back relevant information in the correct JSON format to Azure AD B2C.
-| 6. | Azure AD B2C receives information back from middle layer API. If it shows a Failure response, an error message is displayed to user. If it shows a Success response, the user is authenticated and written into the directory.
+1. Create an Onfido account: go to onfido.com [Contact us](https://onfido.com/signup/) and fill out the form.
+2. Create an API key: go to [Get started (API v3.5)](https://documentation.onfido.com/). 
 
-## Onboard with Onfido
+>[!NOTE]
+> You'll need the key later.
 
-1. To create an Onfido account, contact [Onfido](https://onfido.com/signup/).
+### Onfido documentation
 
-2. Once an account is created, create an [API key](https://documentation.onfido.com/). Live keys are billable, however, you can use the [sandbox keys for testing](https://documentation.onfido.com/?javascript#sandbox-and-live-differences) the solution. The sandbox keys produce the same result structure as live keys, however, the results are always predetermined. Documents aren't processed or saved.
+Live keys are billable, however, you can use the sandbox keys for testing. Go to onfido.com for, [Sandbox and live differences](https://documentation.onfido.com/?javascript#sandbox-and-live-differences). The sandbox keys produce the same result structure as live keys, however, results are predetermined. Documents aren't processed or saved.
 
->[!NOTE]
-> You will need the key later.
+For more Onfido documentation, see:
 
-For more information about Onfido, see [Onfido API documentation](https://documentation.onfido.com) and [Onfido Developer Hub](https://developers.onfido.com).  
+* [Onfido API documentation](https://documentation.onfido.com)
+* [Onfido Developer Hub](https://developers.onfido.com)
 
 ## Configure Azure AD B2C with Onfido
 
-### Part 1 - Deploy the API
+### Deploy the API
 
-- Deploy the provided [API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/API/Onfido.Api) to an Azure service. The code can be published from Visual Studio, following these [instructions](/visualstudio/deployment/quickstart-deploy-to-azure).
-- Set-up CORS, add **Allowed Origin** as https://{your_tenant_name}.b2clogin.com
+1. Deploy the API code to an Azure service. Go to [samples/OnFido-Combined/API/Onfido.Api/](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/API/Onfido.Api). You can publish the code from Visual Studio.
+2. Set up cross-origin resource sharing (CORS).
+3. Add **Allowed Origin** as `https://{your_tenant_name}.b2clogin.com`.
 
 >[!NOTE]
->You'll need the URL of the deployed service to configure Azure AD with the required settings.
+>You'll need the deployed service URL to configure Azure AD.
 
 #### Adding sensitive configuration settings
 
-Application settings can be configured in the [App service in Azure](../app-service/configure-common.md#configure-app-settings). The App service allows for settings to be securely configured without checking them into a repository. The REST API needs the following settings:
+[Configure app settings](../app-service/configure-common.md#configure-app-settings) in the Azure App service without checking them into a repository. 
 
-| Application setting name | Source | Notes |
-|:-------------------------|:-------|:-------|
-|OnfidoSettings:AuthToken| Onfido Account |
+REST API settings:
 
-### Part 2 - Deploy the UI
+* **Application setting name**: OnfidoSettings:AuthToken
+* **Source**: Onfido Account
 
-#### Configure your storage location
+### Deploy the UI
 
-1. Set up a [blob storage container in your storage account](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container)
-
-2. Store the UI files from the [UI folder](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/UI) to your blob container.
-
-3. Allow CORS access to storage container you created by following these instructions:
-
-   a. Go to **Settings** >**Allowed Origin**, enter `https://{your_tenant_name}.b2clogin.com`. Replace your-tenant-name with the name of your Azure AD B2C tenant. For example, https://fabrikam.b2clogin.com. Use all lowercase letters when entering your tenant name.
-
-   b. For **Allowed Methods**, select `GET` and `PUT`.
+#### Configure your storage location
 
-   c. Select **Save**.
+1. In the Azure portal, [create a container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container).
+2. Store the UI files in [/samples/OnFido-Combined/UI](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/UI), in your blob container.
+3. Allow CORS access to the storage container you created: Go to **Settings** >**Allowed Origin**.
+4. Enter `https://{your_tenant_name}.b2clogin.com`. 
+5. Replace your tenant name with your Azure AD B2C tenant name, using lower-case letters. For example, `https://fabrikam.b2clogin.com`. 
+6. For **Allowed Methods**, select `GET` and `PUT`.
+7. Select **Save**.
 
 #### Update UI files
 
-1. In the UI files, go to the folder [**ocean_blue**](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/UI/ocean_blue)
-
+1. In the UI files, go to [samples/OnFido-Combined/UI/ocean_blue](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/UI/ocean_blue).
 2. Open each html file.
-
-3. Find and replace `{your-ui-blob-container-url}` with the URL of where your UI **ocean_blue**, **dist**, and **assets** folders are located
-
-4. Find and replace `{your-intermediate-api-url}` with the URL of the intermediate API app service.
+3. Find `{your-ui-blob-container-url}`, and replace it with your UI **ocean_blue**, **dist**, and **assets** folder URLs.
+4. Find `{your-intermediate-api-url}`, and replace it with the intermediate API app service URL.
 
 #### Upload your files
 
-1. Store the UI files from the UI folder to your blob container.
-
-2. Use [Azure Storage Explorer](../virtual-machines/disks-use-storage-explorer-managed-disks.md) to manage your files and access permissions.
+1. Store the UI folder files in your blob container.
+2. [Use Azure Storage Explorer to manage Azure managed disks](../virtual-machines/disks-use-storage-explorer-managed-disks.md) and access permissions.
 
-### Part 3 - Configure Azure AD B2C
+### Configure Azure AD B2C
 
 #### Replace the configuration values
 
-In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/Policies), find the following placeholders and replace with the corresponding values from your instance.
+In [/samples/OnFido-Combined/Policies](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/OnFido-Combined/Policies), find the following placeholders and replace them with the corresponding values from your instance.
 
-| Placeholder | Replace with value | Example  |
-|:---------------|:----------------|:-------------------|
-| {your_tenant_name}  | Your tenant short name |  "yourtenant" from yourtenant.onmicrosoft.com |
-| {your_tenantID} | TenantID of your Azure AD B2C tenant | 01234567-89ab-cdef-0123-456789abcdef           |
-| {your_tenant_IdentityExperienceFramework_appid}        | App ID of the IdentityExperienceFramework app configured in your Azure AD B2C tenant      | 01234567-89ab-cdef-0123-456789abcdef         |
-| {your_tenant_ ProxyIdentityExperienceFramework _appid} | App ID of the ProxyIdentityExperienceFramework app configured in your Azure AD B2C tenant | 01234567-89ab-cdef-0123-456789abcdef         |
-| {your_tenant_extensions_appid}                         | App ID of your tenant's storage application                                      | 01234567-89ab-cdef-0123-456789abcdef         |
-| {your_tenant_extensions_app_objectid}                  | Object ID of your tenant's storage application                                   | 01234567-89ab-cdef-0123-456789abcdef         |
-| {your_app_insights_instrumentation_key} | Instrumentation key of your app insights instance*| 01234567-89ab-cdef-0123-456789abcdef|
-|{your_ui_file_base_url}| URL of the location where your UI **ocean_blue**, **dist**, and **assets** folders are located | https://yourstorage.blob.core.windows.net/UI/|
-| {your_app_service_URL}                                 | URL of the app service you've set up                                             | `https://yourapp.azurewebsites.net`          |
+|Placeholder|Replace with value|Example|
+|---|---|---|
+|{your_tenant_name}|Your tenant short name|"your tenant" from yourtenant.onmicrosoft.com|
+|{your_tenantID}|Your Azure AD B2C TenantID| 01234567-89ab-cdef-0123-456789abcdef|
+|{your_tenant_IdentityExperienceFramework_appid}|IdentityExperienceFramework app App ID configured in your Azure AD B2C tenant|01234567-89ab-cdef-0123-456789abcdef|
+|{your_tenant_ ProxyIdentityExperienceFramework_appid}|ProxyIdentityExperienceFramework app App ID configured in your Azure AD B2C tenant| 01234567-89ab-cdef-0123-456789abcdef|
+|{your_tenant_extensions_appid}|Your tenant storage application App ID| 01234567-89ab-cdef-0123-456789abcdef|
+|{your_tenant_extensions_app_objectid}|Your tenant storage application Object ID| 01234567-89ab-cdef-0123-456789abcdef|
+|{your_app_insights_instrumentation_key}|Your app insights instance* instrumentation key|01234567-89ab-cdef-0123-456789abcdef|
+|{your_ui_file_base_url}|Location URL of your UI folders **ocean_blue**, **dist**, and **assets**| `https://yourstorage.blob.core.windows.net/UI/`|
+|{your_app_service_URL}|The app service URL you set up|`https://yourapp.azurewebsites.net`|
 
-*App insights can be in a different tenant. This step is optional. Remove the corresponding TechnicalProfiles and OrchestrationSteps if not needed.
+*App insights can be in a different tenant. This step is optional. Remove the corresponding TechnicalProfiles and OrchestrationSteps, if they're not needed.
 
-### Part 4 - Configure the Azure AD B2C policy
+### Configure Azure AD B2C policy
 
-Refer to this [document](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) for instructions on how to set up your Azure AD B2C tenant and configure policies.
+See, [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) for instructions to set up your Azure AD B2C tenant and configure policies. Custom policies are a set of XML files you upload to your Azure AD B2C tenant to define technical profiles and user journeys.
 
 >[!NOTE]
-> As a best practice, we recommend that customers add consent notification in the attribute collection page. Notify users that information will be send to third-party services for Identity verification.
+>We recommend you add consent notification on the attribute collection page. Notify users that information goes to third-party services for identity verification.
 
 ## Test the user flow
 
-1. Open the Azure AD B2C tenant and under Policies select **Identity Experience Framework**.
-
-2. Select your previously created **SignUpSignIn**.
-
-3. Select **Run user flow** and select the settings:
-
-   a. **Application**: select the registered app (sample is JWT)
+1. Open the Azure AD B2C tenant.
+2. Under **Policies** select **Identity Experience Framework**.
+3. Select your previously created **SignUpSignIn**.
+4. Select **Run user flow**.
+5. For **Application**, select the registered app (example is JWT).
+6. For **Reply URL**, select the **redirect URL**.
+7. Select **Run user flow**.
+8. Complete the sign-up flow.
+9. Create an account.
+10. When the user attribute is created, Onfido is called during the flow. 
 
-   b. **Reply URL**: select the **redirect URL**
-
-   c. Select **Run user flow**.
-
-4. Go through sign-up flow and create an account
-
-5. Onfido service will be called during the flow, after user attribute is created. If the flow is incomplete, check that user isn't saved in the directory.
+>[!NOTE]
+>If the flow is incomplete, confirm the user is saved in the directory.
 
 ## Next steps
 
-For additional information, review the following articles:
-
 - [Custom policies in Azure AD B2C](./custom-policy-overview.md)
-
 - [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
