Enable Valimail Single Sign-On with Azure Active Directory

In my previous blogpost, I described how to enroll Valimail Monitor for Office 365. The initial setup is based on credentials, stored at Valimail. This results in another set of credentials that needs to be remembered, needs to be stored in a password vault, another set that may be leaked…

Additional admins and/or auditors also need to create an additional password for Valimail in order to gain access, adding to the problem.

There must be a better way…

Supported SSO Providers

Valimail has the capability to enable Single sign-on based on SAML2 matching the primary email address of a enabled user:

image-6

As you can see in the below screenshot, they currently support Okta and OneLogin. These SSO Providers have already created an application in their solution.

image

I felt it’s random that Azure AD is not listed as an SSO Provider… Microsoft provides Valimail’s services for free to Office 365 tenants; organizations that have Azure AD, too.

I wondered if I could make SSO work in my tenant, using SAML2 authentication. I can say: It works in my tenant! Below are the steps to make it work in your Azure AD tenant, too.

How to make Valimail SSO work with Azure Active Directory

Azure Active Directory doesn’t have Valimail as a listed enterprise application in the application gallery.

However, Microsoft provides the ability to Add your own app (for non-gallery applications), based on SAML-authentication:

image

Create an Enterprise App for Valimail in Azure Active Directory

In order to make it work. Write down the company name listed by the account information, on the account settings page on the Valimail webpage. I performed the following steps for Azure Active Directory in the Azure Portal to configure an enterprise application and enable it for SAML2-authentication:

  1. Open a supported browser and navigate to the Azure Portal.
  2. Sign in with an account that has the Global administrator, Application administrator or Cloud application administrator role assigned to it.
  3. Perform multi-factor authentication and/or privileged identity management, if prompted.
  4. Navigate to Azure Active Directory in the left navigation pane.
    image
  5. In Azure AD’s second navigation pane, click on the Enterprise applications node.
    image
  6. Click on + New Application.
    image
  7. Click on the Non-gallery application tile.
    image
  8. Provide the application name. I choose to name the application Valimail, but your organization’s naming convention may dictate something different.
  9. Click on Add.
    image
  10. In the new panel that appears, click on Properties.
  11. Set the option: User Assignment required? to No.
    image
    Note:

    If you decide to limit the number of users that may use the application, leave this option to Yes and assign the users via the Users and groups option.
    image
  12. Click on Save.
  13. Click on Single sign-on.
    image
  14. Click on the SAML tile.
    image
  15. Click on the pencil to the right of the Basic SAML Configuration text to start editing the SAML configuration:
    image
  16. Configure your Basic SAML Configuration as shown below:
    1. Reconstruct the account information name for example Contoso B.V. to contoso-b-v and use this in the sign-on URL
    2. Identifier (Entity ID): https://app.valimail.com
    3. Reply URL (Assertion Consumer Service URL): https://app.valimail.com/sso/consume
    4. Sign on URL: https://app.valimail.com/sso/accounts/contoso-b-v/sessions/new/
    5. Relay State: https://app.valimail.com/users/sign_in
  17. Click on the Save button and close the panel.
    image
  18. Click on No, I’ll test later.
    image
  19. Don’t change anything in User Attributes & Claims. You don’t need to, anyway.
    image
  20. Download the Federation Metadata XML and save it to a file on your device.
    image

The configuration of the enterprise application in Azure Active Directory is now complete.

Enable Single Sign-On in Valimail

Now that Azure Active Directory is configured and the federation metadata is stored on the device, it is time to configure Valimail:

  1. Open a supported web browser and navigate to https://app.valimail.com/home.
  2. Provide the email address of a account that has the owner role in Valimail:
    image
  3. Provide the password for the email address in Valimail:
    image
  4. Perform 2-factor authentication, if it’s configured.
  5. In the Valimail Portal, click on your name and click on Account settings.
    image
  6. Click on the Setup button next to Single Sign-on:
    image-27
  7. Scroll down to IDP Metadata File field and click on the Browse… button:
    image
  8. Select and upload the Federation Metadata XML downloaded from Azure Active Directory from your device.
  9. Click on Enable Single Sign-on.
    image
    image
  10. You’re now automatically signed out.
  11. To sign back in, provide the email address of an account that has the owner role in Valimail.
    image
  12. Click on Sign in with SSO:
    image
  13. You’re redirected to Azure Active Directory.
    Depending on your authentication method and configuration, you’re automatically signed in to Azure Active Directory and redirected back to the Valimail Portal:
    image
  14. Your Valimail application is now configured with Single Sign-on (SSO) using Azure Active Directory.

Conclusion

I feel in every organization the use of a single source of authentication for business applications should be promoted. For SAML, OAuth and OpenID Connect-based authentication, Azure Active Directory is a perfect candidate to be acting as Identity Provider (IdP) for SaaS applications. This reduces the management overhead, especially when a delegated admin leaves the company and the non-Azure Active Directory accounts are improperly registered or are not part of the normal offboarding procedure.

The main benefit of creating a enterprise application within Azure Active Directory is you can apply your organization’s Conditional Access policies. This way, a company can control the access and conditions for employees and even admins to gain access to the application. For instance, if an owner of the Valimail application tries to log on, Conditional Access will trigger multi-factor authentication, if it’s not performed already.

So take 5 minutes of your time and register and activate Single Sign-on for Valimail with Azure Active Directory.