Merge pull request #224603 from v-edmckillop/patch-90

prmerger-automator[bot] · web-flow · commit d3f3e36682d2 · 2023-01-23T17:17:07.000Z
Update partner-ping-identity.md
diff --git a/articles/active-directory-b2c/partner-ping-identity.md b/articles/active-directory-b2c/partner-ping-identity.md
@@ -9,7 +9,7 @@ ms.reviewer: kengaderdus
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/9/2022
+ms.date: 01/20/2023
 ms.author: gasinh
 ms.subservice: B2C
 ---
@@ -22,7 +22,7 @@ Many e-commerce sites and web applications exposed to the internet are deployed
 
 Generally, configurations include an authentication translation layer that externalizes the authentication from the web application. Reverse proxies provide the authenticated user context to the web applications, such as a header value in clear or digest form. The applications aren't using industry standard tokens such as Security Assertion Markup Language (SAML), OAuth, or Open ID Connect (OIDC). Instead, the proxy provides authentication context and maintains the session with the end-user agent such as browser or native application. As a service running as a man-in-the-middle, proxies provide significant session control. The proxy service is efficient and scalable, not a bottleneck for applications behind the proxy service. The diagram is a reverse-proxy implementation and communications flow.
 
-   ![Reverse proxy implementation](./media/partner-ping/reverse-proxy.png)
+   ![Diagram of the reverse proxy implementation.](./media/partner-ping/reverse-proxy.png)
 
 ## Modernization
 
@@ -45,7 +45,7 @@ Proxies support the modern authentication protocols and use the redirect-based (
 In Azure AD B2C, you define policies that drive user experiences and behaviors, also called user journeys. Each such policy exposes a protocol endpoint that can perform the authentication as an IdP. On the application side, there's no special handling required for certain policies. An application makes a standard authentication request to the protocol-specific authentication endpoint exposed by a policy.  
 You can configure Azure AD B2C to share the same issuer across policies or unique issuer for each policy. Each application can point to policies by making a protocol-native authentication request, which drives user behaviors such as sign-in, sign-up, and profile edits. The diagram shows OIDC and SAML application workflows.
 
-  ![O I D C and S A M L implementation](./media/partner-ping/azure-ad-identity-provider.png)
+  ![Diagram of the OIDC and SAML application workflows.](./media/partner-ping/azure-ad-identity-provider.png)
 
 The scenario can be challenging for the legacy applications to redirect the user accurately. The access request to the applications might not include the user experience context. In most cases, the proxy layer, or an integrated agent on the web application, intercepts the access request.
 
@@ -55,27 +55,27 @@ You can deploy PingAccess as the reverse proxy. PingAccess intercepts a direct r
 
 Configure PingAccess with OIDC, OAuth2, or SAML for authentication with an upstream authentication provider. You can configure an upstream IdP for this purpose on the PingAccess server. See the following diagram.
 
-   ![PingAccess with O I D C implementation](./media/partner-ping/authorization-flow.png)
+   ![Diagram of an upstream IDP on a PingAccess server.](./media/partner-ping/authorization-flow.png)
 
 In a typical Azure AD B2C deployment with policies exposing IdPs, there's a challenge. PingAccess is configured with one, upstream IdP.  
 
 ### PingFederate federation proxy
 
-You can configure PingFederate as an authentication provider, or a proxy. for upstream IdPs. See the following diagram.
+You can configure PingFederate as an authentication provider, or a proxy, for upstream IdPs. See the following diagram.
 
-   ![PingFederate implementation](./media/partner-ping/pingfederate.png)
+   ![Diagram of PingFederate configured an authentication provider, or a proxy, for upstream IDPs.](./media/partner-ping/pingfederate.png)
 
 Use this function to contextually, dynamically, or declaratively switch an inbound request to an Azure AD B2C policy. See the following diagram of protocol sequence flow.
 
-   ![image shows the PingAccess and PingFederate workflow](./media/partner-ping/pingaccess-pingfederate-workflow.png)
+   ![Diagram of the protocol sequence flow for PingAccess, PingFederate, Azure AD B2C, and the applicaiton.](./media/partner-ping/pingaccess-pingfederate-workflow.png)
 
 ## Prerequisites
 
 To get started, you'll need:
 
 - An Azure subscription
   - If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
-- An [Azure AD B2C tenant](/tutorial-create-tenant.md) linked to your Azure subscription
+- An [Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription
 - PingAccess and PingFederate deployed in Docker containers or on Azure virtual machines (VMs)
 
 ## Connectivity and communication
@@ -93,15 +93,15 @@ Confirm the following connectivity and communication.
 
 You can use basic user flows or advanced Identity Enterprise Framework (IEF) policies. PingAccess generates the metadata endpoint, based on the issuer value, by using the [WebFinger](https://tools.ietf.org/html/rfc7033) protocol for discovery convention. To follow this convention, update the Azure AD B2C issuer using user-flow policy properties.
 
-   ![image shows the token settings](./media/partner-ping/token-setting.png)
+   ![Screenshot of the subject sub claim URL on the Token compatibility dialog.](./media/partner-ping/token-setting.png)
 
 In the advanced policies, configuration includes the IssuanceClaimPattern metadata element to AuthorityWithTfp value in the [JWT token issuer technical profile](./jwt-issuer-technical-profile.md).
 
 ## Configure PingAccess and PingFederate
 
 Use the instructions in the following sections to configure PingAccess and PingFederate. See the following diagram of the overall integration user flow.
 
-   ![PingAccess and PingFederate integration](./media/partner-ping/pingaccess.png)
+   ![Diagram of the PingAccess and PingFederate integration user flow](./media/partner-ping/pingaccess.png)
 
 ### Configure PingFederate as the token provider
 
@@ -116,7 +116,7 @@ Use the following instructions to create a PingAccess application for the target
 #### Create a virtual host
 
 >[!IMPORTANT]
->Create a virtual host for every application. For more information, see [What can I configure with PingAccess?]([https://docs.pingidentity.com/bundle/pingaccess-43/page/reference/pa_c_KeyConsiderations.html](https://docs.pingidentity.com/bundle/pingaccess-71/page/kkj1564006722708.html).
+>Create a virtual host for every application. For more information, see [What can I configure with PingAccess?]([https://docs.pingidentity.com/bundle/pingaccess-43/page/reference/pa_c_KeyConsiderations.html].
 
 To create a virtual host:
 
