First, set things up in the Azure Portal
1. In the Azure portal, in the left navigation panel, click the Azure Active Directory icon.
2. Navigate to Enterprise Applications and then select the All Applications option.
3. Click the New application button on the top of dialog.
4. Click Non-gallery Application
5. Enter the name of the application as you'd like it to appear to your users (e.g. Valimail).
6. Click the Add button.
7. Click Getting started in the left navigation panel, then scroll down in the right navigation panel and click Configure single sign-on (required).
8. Click SAML in the right navigation panel.
9. Click the edit (pencil) button in the Basic SAML Configuration section.
10. In the Basic SAML Configuration screen, enter the values as indicated below:
Identified (Entity ID): https://app.valimail.com
Reply URL (Assertion Consumer Service URL): https://app.valimail.com/sso/consume
Sign on URL: <leave blank>
Relay State: <leave blank>
Logout URL: https://app.valimail.com/sso/consume
11. Click the Save button.
12. After the configuration has been successfully saved, click Single sign-on in the left navigation panel again.
13. Click the edit (pencil) button in the User Attributes & Claims section in the right navigation panel.
14. Ensure only the claims shown below exist. Any additional claims should be deleted.
- the FirstName and LastName claim names are case-sensitive and must appear exactly as shown below for SSO to successfully work.
- the ...nameidentifier claim is a default and required by SAML 2.0. Microsoft Azure will not permit the deletion of this claim.
15. Click on SAML-based sign-on in the breadcrumb menu and scroll down to the SAML Signing Certificate section.
16. Click the Federation Metadata XML Download link and save the metadata XML file.
17. Click on the Valimail - Single sign-on link in the breadcrumb menu, then click Users and groups in the left navigation panel.
Set things up in the Valimail platform
1. Be sure to add any users who should have access SSO access to Valimail, including the administrator user with which you are currently logged into Azure AD.
⚠️SSO testing will fail unless you add your user during this step and also ensure the user has already been added as a user in the Valimail Product under Account Settings.
2. In a new browser tab/window, go to https://app.valimail.com and login to Valimail with your username and password.
3. Click on your account name and click Account Settings.
4. In the Account Security section, click Setup.
5. In the Single Sign-on Configuration section, click Upload IDP metadata file.
7. Click Enable.
Test it Out
1. Testing IdP-initiated SSO: Open up a private/incognito window in your browser and go to the Microsoft Azure AD login portal, login with your Microsoft Azure AD credentials. If SSO was successful, you'll arrive at the Valimail home page for your account.
2. Testing SP-initiated SSO: Open up a private/incognito window in your browser and go to https://app.valimail.com and enter your Azure AD username (which is usually an email address). The password field will become disabled and you can click Log In with SSO. You will then be taken to the Azure AD login screen and the IdP-initiated login flow. If SSO was successful, you'll arrive at the Valimail home page for your account.