Skip to main content
All CollectionsValimail SuiteGeneral SettingsSSO for Valigov
Tutorial: How to Integrate Microsoft AD FS with Valigov
Tutorial: How to Integrate Microsoft AD FS with Valigov
Updated over a week ago
a logo for microsoft

⚠️ Requirements:

Microsoft Active Directory Federation Services (AD FS) 2.0 RTW running on Microsoft Windows Server 2012 R2 or later.

1. Open the AD FS Management console (under Control Panel > System and Security > Administrative Tasks).

2. Under the Actions pane (on the right side), click Add Relying Party Trust...

a screenshot of a computer

3. On the Select Data Source page, select Enter data about the relying party manually and click Next.

a screenshot of a computer

4. On the Specify Display Name page, type Valigov Enforce in the Display Name field and click Next.

a screenshot of a computer

5. On the Choose Profile page, select AD FS Profile and click Next.

a screenshot of a profile

6. On the Configure Certificate page, click Next.

a screenshot of a computer

7. On the Configure URL page, check Enable support for the SAML 2.0 WebSSO protocol. In the Relying party SAML 2.0 SSO service URL, type https://app.valigov.com/sso/consume/

a screenshot of a computer

8. On the Configure Identifiers page, in the Relying party trust identifier field, type https://app.valigov.com and click Add, then click Next.

9. On the Configure Multi-factor Authentication page, select the option appropriate for your organization.

Note: Valimail supports multi-factor authentication within the Account Settings user interface, if you choose to enable it there instead of in ADFS.

a screenshot of a computer

10. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party. User access to the application should be controlled via the user account listing in the Valimail Account Settings page.

a screenshot of a computer

11. On the Finish page, check the Open the Edit Claims Rules dialog..., and click Close. The Edit Claims Rules window will open.

a screenshot of a computer

12. On the Issuance Transform Rules tab, click Add Rule.

a screenshot of a computer

13. On the Choose Rule Type page, select Send LDAP Attributes as Claims and click Next.

a screenshot of a computer

14. For Claim rule name, type Valimail-1, for Attribute store, select Active Directory, and add the three (3) claims listed below in the LDAP Mapping table:

On the left-side select E-Mail-Addresses; on the right-side type Email

On the left-side select Given-Name; on the right-side type FirstName

On the left-side select Surname; on the right-side type LastName

Then click Finish.

a screenshot of a computer

15. Click Add Rule again, and select Transform an Incoming Claim, then click Next.

a screenshot of a computer

16. For Claim rule name, type Valimail-2, for Incoming claim type type Email (this must exactly match the claim name from Step 14. For Outgoing claim type select Name ID, and for Outgoing name ID format select Email. Select Pass through all claim values and click OK.

a screenshot of a computer screen

17. Your Issuance Transform Rules tab should look exactly as below (the order of the Rules is important). Click OK.

a screenshot of a computer screen

18. Return to the AD FS Management console, expand the Service folder, and click the Certificates folder. Then locate the certificate which you'll use under the Token-signing section, and click View Certificate... in the Actions pane (on the right-side).

a screenshot of a computer

19. Click the Details tab in the Certificate dialog, then click the Copy to File... button.

a screenshot of a computer

20. In the Certificate Export Wizard, click Next, then select Base-64 encoded X.509 (.CER), and click Next. Enter a path to save the file to, then click Next, then click Finish, then click OK.

a screenshot of a computer

21. Now, go into the Active Directory Users and Computers console and ensure the users you intend to test with are active users in your domain's Active Directory. If not, now is the time to create them.

22. Login to https://www.valigov.com, click your account name (in the upper-right corner), click Account Settings, then click Setup in the Authentication > Single Sign-On section.

23. Open the .cer file saved in Step 20, copy its contents, and paste the contents in the x.509 Certificate field.

In the Identity Provider Entity ID, type the URL to your AD FS server. Example: https://sso.vmcs1.com

In the SAML 2.0 endpoint field, type the URL to your AD FS server's SAML 2.0 endpoint. Example: if your AD FS server is https://sso.vmcs1.com, then type https://sso.vmcs1.com/adfs/ls/ (you're appending the /adfs/ls/ to your server's URL).

a screenshot of a computer

24. Then click

a blue rectangle with white text

at the bottom of the page.

25. Testing SP-initiated SSO: Most AD FS users will login to the application via SP-initiated SSO. Open up a private/incognito window in your browser, go to https://www.valigov.com, and enter your AD credentials. You will see the following message -- click Sign in with SSO. You will then be taken to the AD FS login screen and the IdP-initiated login flow. If SSO was successful, you'll arrive at the application home page for your account.

a screenshot of a sign in

⚠️ If SSO was unsuccessful and you're unable to login to Valigov, just email [email protected] for assistance.

Did this answer your question?