Merge branch 'main' into asr-gitIssues

Author: ankitaduttaMSFT

articles/active-directory/saas-apps/descartes-tutorial.md

@@ -0,0 +1,137 @@
+---
+title: Azure Active Directory SSO integration with Descartes
+description: Learn how to configure single sign-on between Azure Active Directory and Descartes.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: how-to
+ms.date: 01/16/2023
+ms.author: jeedes
+
+---
+
+# Azure Active Directory SSO integration with Descartes
+
+In this article, you'll learn how to integrate Descartes with Azure Active Directory (Azure AD). The Descartes application provides logistics information services to delivery sensitive companies around the world. As an integrated suite it provides modules for various logistics business roles. When you integrate Descartes with Azure AD, you can:
+
+* Control in Azure AD who has access to Descartes.
+* Enable your users to be automatically signed-in to Descartes with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+You'll configure and test Azure AD single sign-on for Descartes in a test environment. Descartes supports both **SP** and **IDP** initiated single sign-on and also supports **Just In Time** user provisioning.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Prerequisites
+
+To integrate Azure Active Directory with Descartes, you need:
+
+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Descartes single sign-on (SSO) enabled subscription.
+
+## Add application and assign a test user
+
+Before you begin the process of configuring single sign-on, you need to add the Descartes application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.
+
+### Add Descartes from the Azure AD gallery
+
+Add Descartes from the Azure AD application gallery to configure single sign-on with Descartes. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).
+
+### Create and assign Azure AD test user
+
+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.
+
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). 
+
+## Configure Azure AD SSO
+
+Complete the following steps to enable Azure AD single sign-on in the Azure portal.
+
+1. In the Azure portal, on the **Descartes** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the user doesn't have to perform any step as the app is already pre-integrated with Azure.
+
+1. If you want to configure **SP** initiated SSO, then perform the following step:
+
+    In the **Relay State** textbox, type the URL:
+    `https://auth.gln.com/Welcome`
+
+1. Descartes application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+	![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image")
+
+1. In addition to above, Descartes application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+	| Name |  Source Attribute|
+	| ---------------|  --------- |
+    | telephone | user.telephonenumber |
+    | facsimiletelephonenumber | user.facsimiletelephonenumber |
+    | ou | user.department |
+    | assignedRoles | user.assignedroles |
+    | Group | user.groups |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
+
+1. Compose a list of the Azure AD Groups you want the Descartes Application use for the Role-based configuration. A list of User Roles Descartes application modules can be found at https://www.gln.com/docs/Descartes_Application_User_Roles.pdf. You can find the Azure Active Direction Group GUIDs please download the Groups from your Azure AD Portal Groups.
+
+    ![Screenshot shows the AAD Portal Groups.](media/descartes-tutorial/copy-groups.png "Groups")
+
+You can load this CSV file in Excel. Please select the groups that you want map to the Descartes application roles by list the ID in the first column and associating it with the Descartes Application User Role.
+
+## Configure Descartes SSO
+
+To configure single sign-on on **Descartes** side, you need to email the following values to the [Descartes support team](mailto:[email protected]). Please use the subject Azure AD SSO Setup request as the subject.
+
+1. The preferred identity domain suffix (often the same as the E-mail domain suffix).
+1. The App Federation Metadata URL.
+1.	A list with the Azure AD Group GUIDs for users entitled to use the Descartes application. 
+
+Descartes will use the information in the E-mail to have the SAML SSO connection set properly on the application side.
+
+An example of such a request below:
+
+![Screenshot shows the example of the request.](media/descartes-tutorial/example.png "Request")
+
+### Create Descartes test user
+
+In this section, a user called B.Simon is created in Descartes. Descartes supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Descartes, a new one is commonly created after authentication.
+
+Descartes application use domain qualified usernames for your Azure AD integrated users. The domain qualified usernames consist of the SAML claim subject and will always end with the domain suffix. Descartes recommends selecting your companies E-mail domain suffix all users in the domain have in common as the identity domain suffix (example [email protected]). 
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Descartes Sign-on URL where you can initiate the login flow. Alternatively you can use a 'deep link' URL into a specific module of the Descartes application, and you will be redirected to a page to provide your domain qualified username which will lead you to your Azure AD login dialog.
+
+* Go to Descartes application direct access URL provided and initiate the login flow by specifying your domain qualified username ([email protected]) in the application login window. This will redirect the user automatically to Azure AD.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Descartes application menu for which you set up the SSO. 
+
+* You can also use Microsoft My Apps to test the application in any mode. When you click the Descartes tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Descartes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Additional resources
+
+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).
+
+## Next steps
+
+Once you configure Descartes you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

articles/active-directory/saas-apps/media/descartes-tutorial/copy-groups.png

@@ -664,6 +664,8 @@
         href: degreed-tutorial.md
       - name: Deputy
         href: deputy-tutorial.md
+      - name: Descartes
+        href: descartes-tutorial.md
       - name: desknet's NEO
         href: desknets-neo-tutorial.md
       - name: Deskradar

articles/active-directory/saas-apps/media/descartes-tutorial/example.png

@@ -68,7 +68,7 @@ Use the DiskEncryptionSet and resource groups you created on the prior steps, an
 
 ```azurecli-interactive
 # Retrieve the DiskEncryptionSet value and set a variable
-$desIdentity=az disk-encryption-set show -n myDiskEncryptionSetName  -g myResourceGroup --query "[identity.principalId]" -o tsv
+desIdentity=$(az disk-encryption-set show -n myDiskEncryptionSetName  -g myResourceGroup --query "[identity.principalId]" -o tsv)
 
 # Update security policy settings
 az keyvault set-policy -n myKeyVaultName -g myResourceGroup --object-id $desIdentity --key-permissions wrapkey unwrapkey get
@@ -83,7 +83,7 @@ Create a **new resource group** and AKS cluster, then use your key to encrypt th
 
 ```azurecli-interactive
 # Retrieve the DiskEncryptionSet value and set a variable
-$diskEncryptionSetId=az disk-encryption-set show -n mydiskEncryptionSetName -g myResourceGroup --query "[id]" -o tsv
+diskEncryptionSetId=$(az disk-encryption-set show -n mydiskEncryptionSetName -g myResourceGroup --query "[id]" -o tsv)
 
 # Create a resource group for the AKS cluster
 az group create -n myResourceGroup -l myAzureRegionName

articles/active-directory/saas-apps/toc.yml

@@ -9,19 +9,19 @@ ms.date: 03/09/2021
 
 # Cluster operator and developer best practices to build and manage applications on Azure Kubernetes Service (AKS)
 
-Building and running applications successfully in Azure Kubernetes Service (AKS) require understanding and implementation of some key considerations, including:
+Building and running applications successfully in Azure Kubernetes Service (AKS) requires understanding and implementation of some key concepts, including:
 
 * Multi-tenancy and scheduler features.
 * Cluster and pod security.
 * Business continuity and disaster recovery.
 
-The AKS product group, engineering teams, and field teams (including global black belts [GBBs]) contributed to, wrote, and grouped the following best practices and conceptual articles. Their purpose is to help cluster operators and developers understand the considerations above and implement the appropriate features.
+The AKS product group, engineering teams, and field teams (including global black belts [GBBs]) contributed to, wrote, and grouped the following best practices and conceptual articles. Their purpose is to help cluster operators and developers better understand the concepts above and implement the appropriate features.
 
 ## Cluster operator best practices
 
-As a cluster operator, work together with application owners and developers to understand their needs. You can then use the following best practices to configure your AKS clusters as needed.
+If you're a cluster operator, work with application owners and developers to understand their needs. Then, you can use the following best practices to configure your AKS clusters to fit your needs.
 
-**Multi-tenancy**
+### Multi-tenancy
 
 * [Best practices for cluster isolation](operator-best-practices-cluster-isolation.md)
     * Includes multi-tenancy core components and logical isolation with namespaces.
@@ -32,7 +32,7 @@ As a cluster operator, work together with application owners and developers to u
 * [Best practices for authentication and authorization](operator-best-practices-identity.md)
     * Includes integration with Azure Active Directory, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities.
 
-**Security**
+### Security
 
 * [Best practices for cluster security and upgrades](operator-best-practices-cluster-security.md)
     * Includes securing access to the API server, limiting container access, and managing upgrades and node reboots.
@@ -41,30 +41,30 @@ As a cluster operator, work together with application owners and developers to u
 * [Best practices for pod security](developer-best-practices-pod-security.md)
     * Includes securing access to resources, limiting credential exposure, and using pod identities and digital key vaults.
 
-**Network and storage**
+### Network and storage
 
 * [Best practices for network connectivity](operator-best-practices-network.md)
     * Includes different network models, using ingress and web application firewalls (WAF), and securing node SSH access.
 * [Best practices for storage and backups](operator-best-practices-storage.md)
     * Includes choosing the appropriate storage type and node size, dynamically provisioning volumes, and data backups.
 
-**Running enterprise-ready workloads**
+### Running enterprise-ready workloads
 
 * [Best practices for business continuity and disaster recovery](operator-best-practices-multi-region.md)
     * Includes using region pairs, multiple clusters with Azure Traffic Manager, and geo-replication of container images.
 
 ## Developer best practices
 
-As a developer or application owner, you can simplify your development experience and define require application performance needs.
+If you're a developer or application owner, you can simplify your development experience and define required application performance features.
 
 * [Best practices for application developers to manage resources](developer-best-practices-resource-management.md)
     * Includes defining pod resource requests and limits, configuring development tools, and checking for application issues.
 * [Best practices for pod security](developer-best-practices-pod-security.md)
     * Includes securing access to resources, limiting credential exposure, and using pod identities and digital key vaults.
 
-## Kubernetes / AKS concepts
+## Kubernetes and AKS concepts
 
-To help understand some of the features and components of these best practices, you can also see the following conceptual articles for clusters in Azure Kubernetes Service (AKS):
+The following conceptual articles cover some of the fundamental features and components for clusters in AKS:
 
 * [Kubernetes core concepts](concepts-clusters-workloads.md)
 * [Access and identity](concepts-identity.md)

articles/aks/azure-disk-customer-managed-keys.md

@@ -29,7 +29,7 @@ Alerts allow you to define a condition to monitor for and an action to take when
 
 2. The **Configure signal logic** page is where you define the logic that triggers the alert. Under the historical graph you are presented with two dimensions, **Runbook Name** and **Status**. Dimensions are different properties for a metric that can be used to filter results. For **Runbook Name**, select the runbook you want to alert on or leave blank to alert on all runbooks. For **Status**, select a status from the drop-down you want to monitor for. The runbook name and status values that appear in the dropdown are only for jobs that have ran in the past week.
 
-   If you want to alert on a status or runbook that isn't shown in the dropdown, click the **Add custom value** option next to the dimension. This action opens a dialog that allows you to specify a custom value, which hasn't emitted for that dimension recently. If you enter a value that doesn't exist for a property your alert won't be triggered.
+   If you want to alert on a status or runbook that isn't shown in the dropdown, click the **Add custom value** option next to the dimension. This action opens a dialog that allows you to specify a custom value, which hasn't emitted for that dimension recently. If you enter a value that doesn't exist for a property your alert won't be triggered.For list of job statuses, see [Job statuses](automation-runbook-execution.md#job-statuses).
 
    > [!NOTE]
    > If you don't specify a name for the **Runbook Name** dimension, if there are any runbooks that meet the status criteria, which includes hidden system runbooks, you will receive an alert.