Enable Valimail Single Sign-On with Azure Active Directory

In my previous blogpost, I described how to enroll Valimail Monitor for Office 365. The initial setup is based on credentials, stored at Valimail. This results in another set of credentials that needs to be remembered, needs to be stored in a password vault, another set that may be leaked…

Additional admins and/or auditors also need to create an additional password for Valimail in order to gain access, adding to the problem.

There must be a better way…

Supported SSO Providers

Valimail has the capability to enable Single sign-on based on SAML2 matching the primary email address of a enabled user:

image

As you can see in the below screenshot, they currently support Okta and OneLogin. These SSO Providers have already created an application in their solution.

image

I felt it’s random that Azure AD is not listed as an SSO Provider… Microsoft provides Valimail’s services for free to Office 365 tenants; organizations that have Azure AD, too.

I wondered if I could make SSO work in my tenant, using SAML2 authentication. I can say: It works in my tenant! Below are the steps to make it work in your Azure AD tenant, too.

How to make Valimail SSO work with Azure Active Directory

Azure Active Directory doesn’t have Valimail as a listed enterprise application in the application gallery.

However, Microsoft provides the ability to Add your own app (for non-gallery applications), based on SAML-authentication:

image

Create an Enterprise App for Valimail in Azure Active Directory

In order to make it work, I performed the following steps for Azure Active Directory in the Azure Portal to configure an enterprise application and enable it for SAML2-authentication:

  1. Open a supported browser and navigate to the Azure Portal.
  2. Sign in with an account that has the Global administrator, Application administrator or Cloud application administrator role assigned to it.
  3. Perform multi-factor authentication and/or privileged identity management, if prompted.
  4. Navigate to Azure Active Directory in the left navigation pane.
    image
  5. In Azure AD’s second navigation pane, click on the Enterprise applications node.
    image
  6. Click on + New Application.
    image
  7. Click on the Non-gallery application tile.
    image
  8. Provide the application name. I choose to name the application Valimail, but your organization’s naming convention may dictate something different.
  9. Click on Add.
    image
  10. In the new panel that appears, click on Properties.
  11. Set the option: User Assignment required? to No.
    image
    Note:

    If you decide to limit the number of users that may use the application, leave this option to Yes and assign the users via the Users and groups option.
    image
  12. Click on Save.
  13. Click on Single sign-on.
    image
  14. Click on the SAML tile.
    image
  15. Click on the pencil to the right of the Basic SAML Configuration text to start editing the SAML configuration:
    image
  16. Configure your Basic SAML Configuration as shown below:
    1. Identifier (Entity ID): https://app.valimail.com
    2. Reply URL (Assertion Consumer Service URL): https://app.valimail.com
    3. Sign on URL: https://app.valimail.com/users/sign_in
    4. Relay State: https://app.valimail.com/users/sign_in
  17. Click on the Save button and close the panel.
    image
  18. Click on No, I’ll test later.
    image
  19. Don’t change anything in User Attributes & Claims. You don’t need to, anyway.
    image
  20. Download the Federation Metadata XML and save it to a file on your device.
    image

The configuration of the enterprise application in Azure Active Directory is now complete.

Enable Single Sign-On in Valimail

Now that Azure Active Directory is configured and the federation metadata is stored on the device, it is time to configure Valimail:

  1. Open a supported web browser and navigate to https://app.valimail.com/home.
  2. Provide the email address of a account that has the owner role in Valimail:
    image
  3. Provide the password for the email address in Valimail:
    image
  4. Perform 2-factor authentication, if it’s configured.
  5. In the Valimail Portal, click on your name and click on Account settings.
    image
  6. Click on the Setup button next to Single Sign-on:
    image
  7. Scroll down to IDP Metadata File field and click on the Browse… button:
    image
  8. Select and upload the Federation Metadata XML downloaded from Azure Active Directory from your device.
  9. Click on Enable Single Sign-on.
    image
    image
  10. You’re now automatically signed out.
  11. To sign back in, provide the email address of an account that has the owner role in Valimail.
    image
  12. Click on Sign in with SSO:
    image
  13. You’re redirected to Azure Active Directory.
    Depending on your authentication method and configuration, you’re automatically signed in to Azure Active Directory and redirected back to the Valimail Portal:
    image
  14. Your Valimail application is now configured with Single Sign-on (SSO) using Azure Active Directory.

Conclusion

I feel in every organization the use of a single source of authentication for business applications should be promoted. For SAML, OAuth and OpenID Connect-based authentication, Azure Active Directory is a perfect candidate to be acting as Identity Provider (IdP) for SaaS applications. This reduces the management overhead, especially when a delegated admin leaves the company and the non-Azure Active Directory accounts are improperly registered or are not part of the normal offboarding procedure.

The main benefit of creating a enterprise application within Azure Active Directory is you can apply your organization’s Conditional Access policies. This way, a company can control the access and conditions for employees and even admins to gain access to the application. For instance, if an owner of the Valimail application tries to log on, Conditional Access will trigger multi-factor authentication, if it’s not performed already.

So take 5 minutes of your time and register and activate Single Sign-on for Valimail with Azure Active Directory.

Valimail Monitor for Office 365: Your Free DMARC Reporting Tool

On their security blog on the 3rd of June 2019, Microsoft announced that Valimail Monitor for Office 365 is available. This option enables organizations using Exchange Online from Office 365 for their company mail to leverage DMARC.

The Road to securing E-Mail

Cyberattacks are common these days. These attacks can be actively targeting your organization over the internet or through incoming emails.

Reputation of your name and mail on the internet are important these days. Reputation attacks via email are achieved by spoofing; sending e-mail messages on behalf of your domain. To counter this, you can:

  • Enable SPF (Sender Policy Framework) records, and;
  • Enable DKIM (DomainKeys Identified Mail)

This is a common practice. However, after you have enabled this, you don’t get any feedback about the attacks or invalid sources. To gain this insight you will need to activate DMARC (Domain-based Message Authentication, Reporting and Conformance). After you’ve enabled DMARC, via a simple DNS TXT record, you will start receiving automated mail messages with an XML file as attachment on the e-mail address listed in the TXT record.

In short: if you want to gain the insight, who is using your domain on the internet, start using DMARC.

Valimail to the rescue!

With Microsoft’s announcement, you get access to Valimail; a free tool to gain these insights.

Stop processing the XML files by hand or scripting tools. We all love (free) automation, right?

Requirements

To gain access to this information, you already need to have setup the following:

    • Existing SPF record containing all the authoritative mail sources
    • Enable DKIM on your mail flow (activated by default in Office 365).
      For outgoing mail, a transport agent can be installed on the on-premises Exchange Server or activated as an option on your anti-spam solution.
    • Activated a basic DMARC record in your DNS domain, for example:
      “v=DMARC1; p=none; rua=mailto:reports@example.com”.
      This example shows you’re using DMARC1 and you monitor existing connections. Please report findings to reports@example.com.

How to set it up

Follow these steps to set it up:

  • First go to the following website: https://go.valimail.com/microsoft.html
  • Fill in the required information.
    image
  • Now wait for response from the Office 365 team of Valimail.
    image
  • Update your DNS record with the requested entry and test the record.
    image
  • Wait for your initial invite to create a login account.
    image
  • When the invite is sent, accept the invite and configure a password for your account.
    image

Tip!
Don’t forget to enable 2-factor authentication on your account or configure Azure AD single sign-on as described in Enable Valimail Single Sign-On with Azure Active Directory.

Conclusion

I have discussed DMARC before with customers and it’s a valuable option to gain insight who is sending e-mail messages on behalf of your DNS domain. The only problem was, how to translate the XML files.

Yes, other tools are available, but for most, you will need to pay a fee to use.

ValiMail is free for organizations using Office 365, so why not use it? Regain control over your mail domain, today.

Further reading

Below are some articles that explain SPF, DKIM and DMARC in more depth: