In my previous blogpost, I described how to enroll Valimail Monitor for Office 365. The initial setup is based on credentials, stored at Valimail. This results in another set of credentials that needs to be remembered, needs to be stored in a password vault, another set that may be leaked…
Additional admins and/or auditors also need to create an additional password for Valimail in order to gain access, adding to the problem.
There must be a better way…
Supported SSO Providers
Valimail has the capability to enable Single sign-on based on SAML2 matching the primary email address of a enabled user:
As you can see in the below screenshot, they currently support Okta and OneLogin. These SSO Providers have already created an application in their solution.
I felt it's random that Azure AD is not listed as an SSO Provider… Microsoft provides Valimail's services for free to Office 365 tenants; organizations that have Azure AD, too.
I wondered if I could make SSO work in my tenant, using SAML2 authentication. I can say: It works in my tenant! Below are the steps to make it work in your Azure AD tenant, too.
How to make Valimail SSO work with Azure Active Directory
Azure Active Directory doesn’t have Valimail as a listed enterprise application in the application gallery.
However, Microsoft provides the ability to Add your own app (for non-gallery applications), based on SAML-authentication:
Create an Enterprise App for Valimail in Azure Active Directory
In order to make it work. Write down the company name listed by the account information, on the account settings page on the Valimail webpage. I performed the following steps for Azure Active Directory in the Azure Portal to configure an enterprise application and enable it for SAML2-authentication:
- Open a supported browser and navigate to the Azure Portal.
- Sign in with an account that has the Global administrator, Application administrator or Cloud application administrator role assigned to it.
- Perform multi-factor authentication and/or privileged identity management, if prompted.
- Navigate to Azure Active Directory in the left navigation pane.
- In Azure AD's second navigation pane, click on the Enterprise applications node.
- Click on + New Application.
- Click on the Non-gallery application tile.
- Provide the application name. I choose to name the application Valimail, but your organization's naming convention may dictate something different.
- Click on Add.
- In the new panel that appears, click on Properties.
- Set the option: User Assignment required? to No.
Note:
If you decide to limit the number of users that may use the application, leave this option to Yes and assign the users via the Users and groups option.
- Click on Save.
- Click on Single sign-on.
- Click on the SAML tile.
- Click on the pencil to the right of the Basic SAML Configuration text to start editing the SAML configuration:
- Configure your Basic SAML Configuration as shown below:
- Reconstruct the account information name for example Contoso B.V. to contoso-b-v and use this in the sign-on URL
- Identifier (Entity ID): https://app.valimail.com
- Reply URL (Assertion Consumer Service URL): https://app.valimail.com/sso/consume
- Sign on URL: https://app.valimail.com/sso/accounts/contoso-b-v/sessions/new/
- Relay State: https://app.valimail.com/users/sign_in
- Click on the Save button and close the panel.
- Click on No, I’ll test later.
- Don’t change anything in User Attributes & Claims. You don't need to, anyway.
- Download the Federation Metadata XML and save it to a file on your device.
The configuration of the enterprise application in Azure Active Directory is now complete.
Enable Single Sign-On in Valimail
Now that Azure Active Directory is configured and the federation metadata is stored on the device, it is time to configure Valimail:
- Open a supported web browser and navigate to https://app.valimail.com/home.
- Provide the email address of a account that has the owner role in Valimail:
- Provide the password for the email address in Valimail:
- Perform 2-factor authentication, if it’s configured.
- In the Valimail Portal, click on your name and click on Account settings.
- Click on the Setup button next to Single Sign-on:
- Scroll down to IDP Metadata File field and click on the Browse… button:
- Select and upload the Federation Metadata XML downloaded from Azure Active Directory from your device.
- Click on Enable Single Sign-on.
- You're now automatically signed out.
- To sign back in, provide the email address of an account that has the owner role in Valimail.
- Click on Sign in with SSO:
- You’re redirected to Azure Active Directory.
Depending on your authentication method and configuration, you're automatically signed in to Azure Active Directory and redirected back to the Valimail Portal:
- Your Valimail application is now configured with Single Sign-on (SSO) using Azure Active Directory.
Conclusion
I feel in every organization the use of a single source of authentication for business applications should be promoted. For SAML, OAuth and OpenID Connect-based authentication, Azure Active Directory is a perfect candidate to be acting as Identity Provider (IdP) for SaaS applications. This reduces the management overhead, especially when a delegated admin leaves the company and the non-Azure Active Directory accounts are improperly registered or are not part of the normal offboarding procedure.
The main benefit of creating a enterprise application within Azure Active Directory is you can apply your organization's Conditional Access policies. This way, a company can control the access and conditions for employees and even admins to gain access to the application. For instance, if an owner of the Valimail application tries to log on, Conditional Access will trigger multi-factor authentication, if it’s not performed already.
So take 5 minutes of your time and register and activate Single Sign-on for Valimail with Azure Active Directory.
Overall, *thumbs up* on the article.
However, to enable true SSO for the Azure AD app, the Sign On URL should be something like: https://app.valimail.com/sso/accounts//sessions/new/
Hi Olivesandtrees,
Thank for your feedback.
I've updatet the blogpost.
The sign-on URL is now https://app.valimail.com/sso/accounts/%5Baccount information]/sessions/new/
For example: https://app.valimail.com/sso/accounts/contoso-b-v/sessions/new/
I tested it from the https://myapps.microsoft.com web page.