Merge pull request #85051 from v-viinde/servicechannelroleupdate

GitHubber17 · web-flow · commit e03206729e56 · 2019-08-12T16:00:08.000-07:00
Product Backlog Item 789512: SaaS App Tutorial: ServiceChannel Role L…
diff --git a/articles/active-directory/saas-apps/servicechannel-tutorial.md b/articles/active-directory/saas-apps/servicechannel-tutorial.md
@@ -14,33 +14,32 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: tutorial
-ms.date: 03/25/2019
+ms.date: 08/12/2019
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
 ---
-# Tutorial: Azure Active Directory integration with ServiceChannel
 
-In this tutorial, you learn how to integrate ServiceChannel with Azure Active Directory (Azure AD).
-Integrating ServiceChannel with Azure AD provides you with the following benefits:
+# Tutorial: Integrate ServiceChannel with Azure Active Directory
 
-* You can control in Azure AD who has access to ServiceChannel.
-* You can enable your users to be automatically signed-in to ServiceChannel (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
+In this tutorial, you'll learn how to integrate ServiceChannel with Azure Active Directory (Azure AD). When you integrate ServiceChannel with Azure AD, you can:
 
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to ServiceChannel.
+* Enable your users to be automatically signed-in to ServiceChannel with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
 
 ## Prerequisites
 
-To configure Azure AD integration with ServiceChannel, you need the following items:
+To get started, you need the following items:
 
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* ServiceChannel single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* ServiceChannel single sign-on (SSO) enabled subscription.
 
 ## Scenario description
 
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * ServiceChannel supports **IDP** initiated SSO
 * ServiceChannel supports **Just In Time** user provisioning
@@ -49,61 +48,40 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
 
 To configure the integration of ServiceChannel into Azure AD, you need to add ServiceChannel from the gallery to your list of managed SaaS apps.
 
-**To add ServiceChannel from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
-	![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
-	![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
-	![The New application button](common/add-new-app.png)
-
-4. In the search box, type **ServiceChannel**, select **ServiceChannel** from result panel then click **Add** button to add the application.
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **ServiceChannel** in the search box.
+1. Select **ServiceChannel** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
 
-	![ServiceChannel in the results list](common/search-new-app.png)
 
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD single sign-on for ServiceChannel
 
-In this section, you configure and test Azure AD single sign-on with ServiceChannel based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in ServiceChannel needs to be established.
+Configure and test Azure AD SSO with ServiceChannel using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ServiceChannel.
 
-To configure and test Azure AD single sign-on with ServiceChannel, you need to complete the following building blocks:
+To configure and test Azure AD SSO with ServiceChannel, complete the following building blocks:
 
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure ServiceChannel Single Sign-On](#configure-servicechannel-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create ServiceChannel test user](#create-servicechannel-test-user)** - to have a counterpart of Britta Simon in ServiceChannel that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+	1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+	1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+2. **[Configure ServiceChannel SSO](#configure-servicechannel-sso)** - to configure the Single Sign-On settings on application side.
+	1. **[Create ServiceChannel test user](#create-servicechannel-test-user)** - to have a counterpart of B.Simon in ServiceChannel that is linked to the Azure AD representation of user.
+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.
 
-### Configure Azure AD single sign-on
+## Configure Azure AD SSO
 
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
 
-To configure Azure AD single sign-on with ServiceChannel, perform the following steps:
+1. In the [Azure portal](https://portal.azure.com/), on the **ServiceChannel** application integration page, find the **Manage** section and select **Single sign-on**.
+1. On the **Select a Single sign-on method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
 
-1. In the [Azure portal](https://portal.azure.com/), on the **ServiceChannel** application integration page, select **Single sign-on**.
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
 
-    ![Configure single sign-on link](common/select-sso.png)
+1. On the **Basic SAML Configuration** section, perform the following steps:
 
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
-    ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
-	![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
-
-    ![ServiceChannel Domain and URLs single sign-on information](common/idp-intiated.png)
-
-    a. In the **Identifier** text box, type the value as:
+      a. In the **Identifier** text box, type the value as:
     `http://adfs.<domain>.com/adfs/service/trust`
 
     b. In the **Reply URL** text box, type a URL using the following pattern:
@@ -114,12 +92,12 @@ To configure Azure AD single sign-on with ServiceChannel, perform the following
 
 5. Your ServiceChannel application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. ServiceChannel application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
 
-	You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/en-us/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
+	You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
 
 	![image](common/edit-attribute.png)
 
 	> [!NOTE]
-	> See [Manage access using RBAC and the Azure portal](../../role-based-access-control/role-assignments-portal.md) to learn how to configure **Role** in Azure AD.
+	> Refer this [link](https://docs.microsoft.com/azure/active-directory/develop/active-directory-enterprise-app-role-management) to learn how to configure **Role** in Azure AD.
 
 6. In addition to above, if you are planning to enable Just In Time user provisioning, then you should add the following claims as shown below. **Role** claim needs to be mapped to **user.assignedroles** which contains the role of the user. In the **User Claims** section on the **User Attributes** dialog, perform the following steps to add SAML token attribute as shown in the below table:
 
@@ -145,89 +123,63 @@ To configure Azure AD single sign-on with ServiceChannel, perform the following
 
 	g. Click **Save**.
 
-7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
+4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
 
 	![The Certificate download link](common/certificatebase64.png)
 
-8. On the **Set up ServiceChannel** section, copy the appropriate URL(s) as per your requirement.
+6. On the **Set up ServiceChannel** section, copy the appropriate URL(s) based on your requirement.
 
 	![Copy configuration URLs](common/copy-configuration-urls.png)
 
-	a. Login URL
-
-	b. Azure AD Identifier
-
-	c. Logout URL
-
-### Configure ServiceChannel Single Sign-On
-
-To configure single sign-on on **ServiceChannel** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [ServiceChannel support team](https://servicechannel.zendesk.com/hc/en-us). They set this setting to have the SAML SSO connection set properly on both sides.
-
 ### Create an Azure AD test user
 
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
-    ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
-    ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
 
-    ![The User dialog box](common/user-properties.png)
-
-    a. In the **Name** field enter **BrittaSimon**.
-  
-    b. In the **User name** field type `brittasimon@yourcompanydomain.extension`  
-    For example, BrittaSimon@contoso.com
-
-    c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
-    d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+	1. In the **Name** field, enter `B.Simon`.  
+	1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+	1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+	1. Click **Create**.
 
 ### Assign the Azure AD test user
 
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ServiceChannel.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ServiceChannel**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ServiceChannel.
 
-	![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **ServiceChannel**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
 
-2. In the applications list, select **ServiceChannel**.
+   	![The "Users and groups" link](common/users-groups-blade.png)
 
-	![The ServiceChannel link in the Applications list](common/all-applications.png)
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
 
-3. In the menu on the left, select **Users and groups**.
+	![The Add User link](common/add-assign-user.png)
 
-    ![The "Users and groups" link](common/users-groups-blade.png)
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
 
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+## Configure ServiceChannel SSO
 
-    ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **ServiceChannel** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [ServiceChannel support team](https://servicechannel.zendesk.com/hc/). They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create ServiceChannel test user
 
-Application supports Just in time user provisioning and after authentication users will be created in the application automatically. For full user provisioning, please contact [ServiceChannel support team](https://servicechannel.zendesk.com/hc/en-us)
+Application supports Just in time user provisioning and after authentication users will be created in the application automatically. For full user provisioning, please contact [ServiceChannel support team](https://servicechannel.zendesk.com/hc/).
 
-### Test single sign-on
+## Test SSO 
 
 In this section, you test your Azure AD single sign-on configuration using the Access Panel.
 
 When you click the ServiceChannel tile in the Access Panel, you should be automatically signed in to the ServiceChannel for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
 
 ## Additional Resources
 
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
 
-- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
 
-- [What is Conditional Access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
