Improve answers to common partner questions

_data/errors.yml

@@ -73,7 +73,7 @@ oidc:
         ##### Why it's happening
         You have registered a redirect URI that cannot be parsed.
         ##### What to do:
-        - Check your application's configuration on the [Partner Portal](https://dashboard.int.identitysandbox.gov/){:target="_blank"}.
+        - Check your application's configuration on the [Partner Portal](https://portal.int.identitysandbox.gov/){:target="_blank"}.
         - Ensure that all registered redirect_uris are propertly formatted and use `https` protocol.
     - title: redirect_uri does not match registered redirect_uri
       id: oidc-redirect-match
@@ -82,7 +82,7 @@ oidc:
         ##### Why it's happening
         You have not registered the redirect_uri that you sent in your authentication request.
         ##### What to do:
-        - Check your application's configuration on the [Partner Portal](https://dashboard.int.identitysandbox.gov/){:target="_blank"} and the `redirect_uri` passed through your authentication request.
+        - Check your application's configuration on the [Partner Portal](https://portal.int.identitysandbox.gov/){:target="_blank"} and the `redirect_uri` passed through your authentication request.
         - Ensure the `redirect_uri` that you are sending as part of your authentication request is registered. You must register every redirect uri that your application redirects through.
     - title: Unauthorized scope
       id: oidc-unauthotized-scope
@@ -103,7 +103,7 @@ oidc:
         The issuer (also known as the client id) provided does not match a service provider registered in the IdP.
         ##### What to do:
         - Ensure the logout request has a `client_id` value.
-        - Ensure that the `client_id` sent in the logout request matches the one registered in your application on the [Partner Portal](https://dashboard.int.identitysandbox.gov/){:target="_blank"}.
+        - Ensure that the `client_id` sent in the logout request matches the one registered in your application on the [Partner Portal](https://portal.int.identitysandbox.gov/){:target="_blank"}.
         - Ensure that the integration configuration's `active` value is set to `true`.
     - title: client_id is missing
       id: client-id-missing
@@ -197,7 +197,7 @@ oidc:
         ##### Why it's happening
         There is no registered certificate that matches the signature of the `client_assertion` JWT that is being passed as part of the token. request.
         ##### What to do:
-        - Ensure that the public certificate that matches the private key used to sign the JWT is registered in your application's configuration in the [Partner Portal](https://dashboard.int.identitysandbox.gov/){:target="_blank"}.
+        - Ensure that the public certificate that matches the private key used to sign the JWT is registered in your application's configuration in the [Partner Portal](https://portal.int.identitysandbox.gov/){:target="_blank"}.
   userinfo:
     - title: Malformed Authorization header
       id: malformed-auth-header

_includes/support/faq_csp_violation.html

@@ -4,7 +4,7 @@ <h5>Background:</h5>
     <br/><br/>
     The <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action">CSP form-action</a> directive restricts which URLs can be used as the target of form submissions from a given context. Certain Chromium-based internet browsers (e.g. Google Chrome and Microsoft Edge) enforce the form-action directive through the entire redirect chain (if any). Other non-Chromium-based browsers only check the first redirect in the chain (e.g. Firefox). For Chromium-based browsers, upon form submission, any attempts to redirect to a url not explicitly listed as a form-action source will violate the CSP directive and cause a failure to load and a console error.
     <br/><br/>
-    This error occurs when Service Providers attempt to redirect users to a url that is not registered in the Redirect URLs field in the <a target="_blank" href="https://dashboard.int.identitysandbox.gov/">Partner Portal</a> application's configuration. All urls that users could be redirected to, even as a passthrough, need to be included in the list of Redirect URLs.
+    This error occurs when Service Providers attempt to redirect users to a url that is not registered in the Redirect URLs field in the <a target="_blank" href="https://portal.int.identitysandbox.gov/">Partner Portal</a> application's configuration. All urls that users could be redirected to, even as a passthrough, need to be included in the list of Redirect URLs.
 </p>
 <h5>Solution:</h5>
 <p>

_includes/support/faq_saml_signature.html

@@ -16,7 +16,7 @@ <h5> Check signature is present </h5>
 <p>
     If the <span class="text-bold">Signature</span> and <span class="text-bold">SigAlg</span> URL parameters (and associated values) are present, your authentication request is signed.
     <br/>
-    If the signature is not part of the URL, it may be part of the SAML request. To check this, you will need to decode the data sent via the <span class="text-bold">SAMLRequest</span> parameter. The easiest way to do this is the "SAML Tracer" browser plugin. Our <a class="usa-link" href="https://dashboard.int.identitysandbox.gov/tools/saml_request">web-based tool</a> can also help with this. Once decoded, you should see a section that contains all the relevant signature-related information and should be enclosed in a tag like:
+    If the signature is not part of the URL, it may be part of the SAML request. To check this, you will need to decode the data sent via the <span class="text-bold">SAMLRequest</span> parameter. The easiest way to do this is the "SAML Tracer" browser plugin. Our <a class="usa-link" href="https://portal.int.identitysandbox.gov/tools/saml_request">web-based tool</a> can also help with this. Once decoded, you should see a section that contains all the relevant signature-related information and should be enclosed in a tag like:
 </p>
 
 <div markdown="1">
@@ -39,7 +39,7 @@ <h5>Check the signature algorithm</h5>
 
 <h5>Check validity of signature</h5>
 <p>
-    There may be other reasons Login.gov cannot successfully validate your application’s signatures using the information you have provided in the Login.gov Partner Portal for the application. We have created a <a class="usa-link" href="https://dashboard.int.identitysandbox.gov/tools/saml_request"> web-based tool</a> that lets you check this easily.
+    There may be other reasons Login.gov cannot successfully validate your application’s signatures using the information you have provided in the Login.gov Partner Portal for the application. We have created a <a class="usa-link" href="https://portal.int.identitysandbox.gov/tools/saml_request"> web-based tool</a> that lets you check this easily.
     <br/><br/>
     If you find your signature cannot be validated using this process, you will have to investigate what may be causing these problems and make changes on your side until validation succeeds.
 </p>

_layouts/base.html

@@ -120,14 +120,14 @@ <h1 class="usa-logo" id="basic-logo">
                 </section>
               </div>
               <ul class="usa-nav__primary usa-accordion flex-justify">
-                <a href="https://dashboard.int.identitysandbox.gov/" class="mobile:display-block desktop:display-none usa-button flex-align-self-center" type="button">Go to portal</a>
+                <a href="https://portal.int.identitysandbox.gov/" class="mobile:display-block desktop:display-none usa-button flex-align-self-center" type="button">Go to portal</a>
                 {% include nav/list.html
                   links = site.data.nav.primary
                   li_class = 'usa-nav__primary-item'
                   subnav_ul_class = 'desktop:display-none usa-sidenav__sublist'
                 %}
                 <div class="desktop:margin-right-neg-2 grid-row flex-fill flex-justify-end">
-                  <a href="https://dashboard.int.identitysandbox.gov/" class="mobile:display-none desktop:display-inline usa-button flex-align-self-center" type="button">Go to portal</a>
+                  <a href="https://portal.int.identitysandbox.gov/" class="mobile:display-none desktop:display-inline usa-button flex-align-self-center" type="button">Go to portal</a>
                 </div>
               </ul>
             </div>

_pages/oidc/getting-started.md

@@ -56,15 +56,12 @@ The following implementation methods of OIDC are not supported by Login.gov for
 
 ### Set up a Sandbox account
 
-You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, navigate to the [Login Partner Portal Sandbox](https://dashboard.int.identitysandbox.gov) and follow the steps below:
+You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, follow the steps in the [Using the sandbox](https://developers.login.gov/testing/#using-the-sandbox) section to create your Login.gov sandbox account, your Team in the Partner Portal, and your app within your Team.
 
-- Select the “Sign-in” button to create a new account. Anyone with a .gov or .mil email address may request an account.
-- Create a new team - see [Testing](/testing/) page for instructions.
--  Create a certificate - before creating your configuration you'll need to create a certificate that will be used to sign your requests. You can create a certificate using openssl. The example command to create the certificate from your terminal is:
-    - `openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt`
-- Create a configuration, at which point you will need to decide between private_key_jwt or PKCE.
+If you chose to integrate your app using the OIDC private_key_jwt protocol, you will need to create a private key that will be used to sign your request to our token endpoint, and a corresponding public certificate that you will upload to your app in the Partner Portal. Login.gov will use your public certificate to verify the signature in your request.
+
+More details on how to create this public/private keypair are available in the [Creating a public certificate](https://developers.login.gov/testing/#creating-a-public-certificate) section of our Testing documentation.
 
-It is important to note that your Login.gov production account and your Login.gov sandbox account are two separate accounts.
 
 ### Auto-discovery
 

_pages/production.md

@@ -1,7 +1,7 @@
 ---
 title: Production deployment
 lead: >
-  Once you’ve set up your integration through [our portal](https://dashboard.int.identitysandbox.gov/) and tested, you can request deployment to the Login.gov production environment.
+  Once you’ve set up your integration through [our portal](https://portal.int.identitysandbox.gov/) and tested, you can request deployment to the Login.gov production environment.
 
 redirect_from:
   - /production-deployment/
@@ -35,7 +35,7 @@ Make sure you have the following items ready before you start the deployment pro
 
 -   [Signed Interagency Agreement (IAA) listing this integration ]({{ site.baseurl}}/production/#confirm-interagency-agreement-iaa)
 
--   A dedicated [integration configuration within the portal](https://dashboard.int.identitysandbox.gov/)
+-   A dedicated [integration configuration within the portal](https://portal.int.identitysandbox.gov/)
     * We recommend having two configurations, one that is intended for deployment to production and one which is purely for testing purposes.
     * All production urls should have .gov, .mil, or a dedicated .com address and point to an Authority to Operate (ATO) approved environment.
 
@@ -77,7 +77,7 @@ Before you can request deployment, you need to create a new and separate integra
 
 When you have the components required, follow these steps to create your production integration configuration:
 
-1.  [Create a new app on the](https://dashboard.int.identitysandbox.gov/) Login.gov Partner Portal. Select “Apps” from the top right menu, then select the “Create a new app” button.
+1.  [Create a new app on the](https://portal.int.identitysandbox.gov/) Login.gov Partner Portal. Select “Apps” from the top right menu, then select the “Create a new app” button.
 
 1. Choose an agency team for the app from the drop down menu.
 
@@ -137,7 +137,7 @@ Once you have:
 
 2. [Created a production configuration]({{site.baseurl}}/production/#production-configuration-process).
 
-3. Confirmed that you have a logo uploaded to your production configuration in the [Partner Portal](https://dashboard.int.identitysandbox.gov/). **An uploaded logo is required for the deployment process.**
+3. Confirmed that you have a logo uploaded to your production configuration in the [Partner Portal](https://portal.int.identitysandbox.gov/). **An uploaded logo is required for the deployment process.**
 
 You are ready to submit a launch request through the [Partner Support Help Desk](https://zendesk.login.gov). 
 
@@ -167,22 +167,34 @@ If you are rotating your application’s public/private keypair, or want to add
 
   **For OIDC integrations or SAML integrations sending signed requests:**
 
-  1.  Add the new certificate to the application portal configuration.
+  1. Generate your new public/private keypair.
 
-  2.  Contact Login.gov technical support and request certificate addition.
+  2. Upload your new public certificate in the Login.gov Portal production configuration for your app.
 
-  3.  Once certificate deployment is confirmed, rotate the key pair at your convenience.
+  3. Do **not** make **any other** changes on your end in your systems. Do **not** start using the new private key on your end.
 
-  4.  Once the new key pair is in use, please submit a request to remove the old certificate.
+  4. Submit a Zendesk ticket to ask us to deploy your new public certificate to production. As a reminder, it can take up to 2 weeks for us to process any production configuration changes.
+
+  5. Wait for us to confirm that your new certificate has been deployed to production.
+
+  6. Once we confirm your new certificate is available in production, test the existing Production app to make sure everything still works with the old certificate and private key. In other words, don't make any changes yet. At this point, we're just confirming that having multiple certificates in production on the Login.gov side is perfectly fine. The reason this is safe when requests are properly signed is because we use the signature of the  request to determine which public certificate to use.
+
+  7. Once you are confident everything is still working with the old setup, then you can start using the new private key on your end (the one that corresponds to the new cert you uploaded in step 2)
+
+  8. Test the app again with the new cert and private key to make sure everything still works.
+
+  9.  Once the new key pair is in use, please submit a request to remove the old certificate.
 
 
   **For SAML integrations not sending signed requests:**
 
-  1.  The final certificate rotation must be coordinated with Login.gov technical support.
+  1.  Watch this video to learn [How and Why to Sign your SAML Requests](https://www.youtube.com/watch?v=i3BzLQ_PULU)
+
+  2. If you're still not able to sign your requests, first make sure to test your new public/private keypair in your sandbox configuration by making sure it only contains your new public certificate, and removing all other certificates.
 
-  2.  Add the new certificate to the application portal configuration.
+  3. Follow the same steps in the section above, but in step 4, provide the reason why you are not able to sign your SAML requests, and a date and time during business hours where we can coordinate the deployment of your certificate to minimize downtime.
 
-  3.  Request coordination of the certificate rotation from Login.gov technical support.
+  3. Once we deploy your certificate, steps 6-8 above will not apply.
 
 
 {% capture expiration_date %}

_pages/testing.md

@@ -49,9 +49,9 @@ Please submit a support ticket through the [Partner Support Help Desk](https://z
 1. Visit the Partner Portal at [https://portal.int.identitysandbox.gov/](https://portal.int.identitysandbox.gov/).
 1. Click on "Sign in with Login.gov"
 1. Click on "I agree" on the "System use notification" page
-1. If you already have a Login.gov sandbox account, proceed to sign in. Otherwise, click on the "Create an account" option. Note that this will create an account in our sandbox environment, which is separate from any Login.gov production accounts you might have.
+1. If you already have a Login.gov **sandbox** account, proceed to sign in. Otherwise, click on the "Create an account" option. This will create an account in our sandbox environment, which is separate from any Login.gov production accounts you might have. Due to spam issues, we do not allow creating **sandbox** accounts with the following email domains: aol.com, bellsouth.net, outlook.com, and yahoo.com. This limitation does not apply to our production environment.
 1. Once you sign in or complete the account creation process, you should be signed into our Partner Portal, and you can proceed to set things up.
-1. If you're not already part of a Team in the Partner Portal, and you are creating an integration for the first time, then the first step is to create a Team. You can access the Teams page by clicking "Teams" in the top right navigation. Alternatively, under the
+1. If you're not already part of a Team in the Partner Portal, and you are creating an integration for the first time, then the first step is to create a Team. Note that only users with .gov or .mil emails can create Teams. You can access the Teams page by clicking "Teams" in the top right navigation. Alternatively, under the
 "Welcome to the Login.gov Partner Portal" section, you can click the "My teams" link, or the "View teams" button. The direct URL is [https://portal.int.identitysandbox.gov/teams](https://portal.int.identitysandbox.gov/teams).
 1. Create a new team by selecting the “Continue” button next to “Create your first team.” If you have previously created a team you can move on to the next step.
 1. If necessary, add users to that team by clicking the “Add user” button. This is the opportunity to add contractors or anyone without a .gov or a .mil email address.

_pages/user-experience/getting-started.md

@@ -26,7 +26,7 @@ sidenav:
 ---
 
 ##  Getting started
-There are several decisions during the integration process that affect how your users experience Login.gov. In this User Experience guide, we will outline what options you have available to your application, and the configurations in Login.gov [portal](https://dashboard.int.identitysandbox.gov/) that impact users.
+There are several decisions during the integration process that affect how your users experience Login.gov. In this User Experience guide, we will outline what options you have available to your application, and the configurations in Login.gov [portal](https://portal.int.identitysandbox.gov/) that impact users.
 
 {% capture button_ux %}
 [Design your application's sign-in and sign-out buttons]({{site.baseurl}}/user-experience/sign-in-sign-out/). This will include a [global sign-in button]({{site.baseurl}}/user-experience/sign-in-sign-out/), and optionally, [a sign-in page]({{site.baseurl}}/user-experience/sign-in-sign-out/) before the user is directed to Login.gov.
@@ -74,7 +74,7 @@ Optional: [Add FAQ content to inform users about Login.gov]({{site.baseurl}}/use
   </li>
 </ul>
 
-### Configure in the [portal](https://dashboard.int.identitysandbox.gov/)
+### Configure in the [portal](https://portal.int.identitysandbox.gov/)
 
 <ul class="usa-icon-list padding-bottom-4 padding-top-2">
  <li class="usa-icon-list__item">