1. In the Azure portal, in the left navigation panel, click the Azure Active Directory icon.


2. Navigate to Enterprise Applications and then select the All Applications option.

3. Click the New application button on the top of dialog.

4. Click Non-gallery Application

5. Enter the name of the application as you'd like it to appear to your users (e.g. Valimail).


6. Click the Add button.


7. Click Getting started in the left navigation panel, then scroll down in the right navigation panel and click Configure single sign-on (required).

8. Click SAML in the right navigation panel.


9. Click the edit (pencil) button in the Basic SAML Configuration section.

10. In the Basic SAML Configuration screen, enter the values as indicated below:

        Identified (Entity ID): https://app.valimail.com

        Reply URL (Assertion Consumer Service URL): https://app.valimail.com/sso/consume

        Sign on URL: https://app.valimail.com/users/sign_in

        Relay State: <leave blank>

        Logout URL: <leave blank>



11. Click the Save button.


12. After the configuration has been successfully saved, click Single sign-on in the left navigation panel again.

13. Click the edit (pencil) button in the User Attributes & Claims section in the right navigation panel.


14. Ensure only the claims shown below exist. Any additional claims should be deleted.


⚠️Important Points:

              - the FirstName and LastName claim names are case-sensitive and must appear exactly as shown below for SSO to successfully work.

             the ...nameidentifier claim is a default and required by SAML 2.0. Microsoft Azure will not permit deletion of this claim.



15. Click on SAML-based sign-on in the breadcrumb menu and scroll down to the SAML Signing Certificate section.


16. Click the Federation Metadata XML Download link and save the metadata XML file.


17. Click on the Valimail Enforce - Single sign-on link in the breadcrumb menu, then click Users and groups in the left navigation panel.


18. Be sure to add any users who should have access SSO access to Valimail Enforce, including the administrator user with which you are currently logged into Azure AD.


⚠️SSO testing will fail unless you add your user during this step and also ensure the user has already been added as a user in Valimail  Enforce under Account Settings.


19. In a new browser tab/window, go to https://app.valimail.com and login to Valimail with your username and password.


20. Click on your account name and click Account Settings.


21. In the Authentication section, click the Setup button.

22. In the Single Sign-on Configuration section, scroll down to the IDP Metadata File section and click the Choose File button. Locate the XML file you saved in Step 16 and upload it.

23. Then clickat the bottom of the page.


24. Testing IdP-initiated SSO: Open up a private/incognito window in your browser and go to the Microsoft Azure AD login portal, login with your Microsoft Azure AD credentials. If SSO was successful, you'll arrive at the Valimail Enforce home page for your account.


25. Testing SP-initiated SSO: Open up a private/incognito window in your browser and go to https://app.valimail.com and enter your Azure AD username (which is usually an email address). You will see the following message -- click Sign in with SSO. You will then be taken to the Azure AD login screen and the IdP-initiated login flow. If SSO was successful, you'll arrive at the Valimail Enforce home page for your account.


⚠️Encountered a problem or need help? Just email support@valimail.com.