Part 1: Preparation work in Google Workspace

1. Log in to the Google Admin console with administrator credentials.

2. Go to Menu then Apps > Web and mobile apps. 

3. Click Add AppAdd custom SAML app. 

4. On the App Details page:     

1. Enter the name of the custom app.
2. (Optional) Upload an app icon - you can use one of the two icons below. The app icon appears on the Web and mobile apps list, on the app settings page, and in the app launcher. If you don't upload an icon, an icon is created using the first two letters of the app name.

5. Click Continue. 

6. On the Google Identity Provider details page, get the setup information needed to set up the SSO in Valimail using one of these options:     

1. Download the IDP metadata (Recommended).
2. Copy the SSO URL and Entity ID and download the Certificate. 

7. Click Continue. 

8. On the Service Provider Details page, enter the following details:

• ACS URL: https://app.valimail.com/sso/consume
• Entity ID: https://app.valimail.com
• Start URL: https://app.valimail.com/users/sign_in
• Name ID Format should be set to EMAIL
• Name ID set it to Basic Information > Primary email

9 Click Continue. 

10. On the Attribute mapping page, click Add Mapping and add the attributes as shown below.   

11. (Optional) To enter group names that are relevant for this app: 

1. For Group membership (optional), click Search for a group, enter one or more letters of the group name, and select the group name.
2. Add additional groups as needed (maximum of 75 groups).
3. For App attribute, enter the service provider’s corresponding groups attribute name.

12. Click Finish.

Part 2: Configuration within the Valimail Product Suite

Be sure to add any users who should have access to the Valimail Product Suite. 

1. In a new browser tab or window, go to https://app.valimail.com and log into Valimail with your username and password.

2. Click on the Gear icon in the top right corner. 

3. Under General settings click Setup for SSO.

4. In the 'Single Sign-on Configuration' window, click 'upload IDP metadata file'. Locate the XML file you saved in step 6 above and upload it. If you copied the information in step 6, then you will have to manually enter the Certificate, Entity ID, and the SAML 2.0 Endpoint.

Here you can also:

Enable JIT Provisioning (optional): Check this option to enable Just In Time (JIT) Provisioning.

Provisioning Domains (for JIT): Add one or more provisioning domains.

5. Click Save.

6. Testing IdP-initiated SSO: Open up a private/incognito window in your browser and go to your SSO provider's login portal, login with your SSO credentials, locate and then launch the Valimail app. If SSO was successful, you'll arrive at the Valimail Enforce home page for your account.

7. Testing SP-initiated SSO: Open up a private/incognito window in your browser and go to https://app.valimail.com and enter your SSO username (email address). You will see the following message -- click Sign in with SSO. You will then be taken to your SSO provider's login screen and the IdP-initiated login flow. If SSO was successful, you'll arrive at the Valimail Product home page for your account.

⚠️ If SSO was unsuccessful and you're unable to login to Valimail Enforce, just email support@valimail.com for assistance.