Microsoft Azure IdP SSO Integration

Overview

Spambrella supports integration with Identity Providers for authentication adhering to Security Assertion Markup Language (SAML) standards. Multiple identity providers for an organization are fully supported.

Spambrella supports single sign-on (SSO) via Security Assertion Markup Language. When working with an external IdP, it can be set up as your identity provider (IdP) for SSO to the Admin Console.

Azure Active Directory is being renamed Microsoft Entra ID. For the purposes of this article, all references continue to use “Azure” and/or “Azure Active Directory”.

Configuring Microsoft Azure Active Directory SAML/SSO

Step 1: Create Identity Provider

  1. Log in to your service portal – rebranded URL as your organization, Spambrella or Proofpoint Essentials.
  2. Under Administration, click Account Management, then Identity Providers.
  3. Click Add Identity Provider.
  4. Enter a meaningful Identity Provider name and, optionally, description. The name you enter will be shown on the Identity Provider button on the main login screen.
  5. In the Icon section, select the appropriate icon according to your desired integration.
    identity-providers-proofpoint-essentials
  6. Click Next.

Step 2: Configure SAML/SSO In Azure Portal

  1. Log into the Microsoft Azure portal with an administration role.
  2. In the panel on the left, click Applications, then Enterprise applications.
  3. Click New Application then Create your own application.
  4. Enter a name in the “What’s the name of your app” field (e.g., Auth for Spambrella).
  5. From the list of options under “What are you looking to do with your application”, click Integrate any other application you don’t find in the gallery (Non-gallery)”.

    Microsoft Azure IdP SSO Integration

  6. Click Create.
  7. In the side navigation panel, locate Manage and click Properties.
  8. Change the Assignment required? value to No, then click Save.

    Setting the “Assignment required?” option to “yes” means users and other apps or services must be assigned this application before they will be able to access it.

  9. In the side navigation panel, locate Manage and click Single sign-on, followed by SAML and then, in the Basic SAML Configuration section, click Edit.
  10. Copy and paste the values from the Spambrella Identity Provider setup into the corresponding Basic SAML Configuration fields (mappings below).

Proofpoint Essentials SAML Mapping

  1. Click Save and Close panel.
  2. In the SAML Signing Certificate section, click Edit.

SAML Signing Certificate

  1. For the Signing Option, select Sign SAML response and assertion.

Sign SAML response and assertion

  1. Click Save, then click X (Close).
  2. Download the Certificate (Base64).

Step 3: Complete The New Identity Provider Configuration Into Spambrella

  1. Return to the Spambrella New Identity Provider configuration (as described in Step 1).
  2. Copy and paste the values from the new application in Azure into the corresponding Identity Provider fields (mappings below).

Azure Mappings - Proofpoint Essentials Setup

  1. Click Enable Single Sign-On.
  2. Click Save and Close.
  3. The new Identity Provider appears on the Identity Providers page.

Configure Single Sign-On Login Settings

Configure the single sign-on settings the organization needs to use in order to use the new identity provider created in the previous step.

FAQ

Will any other third-party Identity providers be made available in the future?

Spambrella seamlessly integrates with various third-party Identity Providers including Microsoft Azure Active Directory and Okta Identity Cloud. Further third-party Identity Providers will be added soon, including G Suite/Google Cloud Identity, as well as any SAML 2.0 capable system.

Will I receive a notification if my SSO settings are changed?

Yes, an email will be sent to the organization tech contact informing them of a change and include details of the type of change (Added, Deleted or Changed)

If I have an account on multiple sites, will I be prompted to enter a passcode for each account?

To ensure a greater security posture across all sites, if you have multiple accounts, you will be required to enter a passcode when logging in, per account, per site.  Upon successful login, you will not be prompted to enter another passcode for 12 hours.

Will two-step authentication work with my SSO provider?

Yes, you can use your identity provider 2 step authentication process to log in.