1. Log in to the Email Cloud portal
2. On the left-side menu, find Service Settings, then select SAML
3. Click Configure SAML
4. Open a separate browser tab and navigate to your Okta admin portal
5. In your Okta portal, select Applications > Applications on the left-side menu
6. In the main part of the screen, select Add Application
7. Click Create a New App in the top-right 
8. Select SAML 2.0 as the Sign on Method and click Create
9. On the General tab, under SAML Settings, click Edit
   • App name can be any name you want to use to identify the Email Security Cloud application within Okta
   • All other options are based on your organization's desired decisions
10. Click Next to get to the Configure SAML screen within Okta
11. Go back to the browser tab that has your Email Cloud portal open and copy the Entity ID from the Service Provider Metadata screen
12. In the browser tab that you're using for Okta, paste the Entity ID into the Audience URI (SP Entity ID) field
13. Go back to the browser tab that has your Email Cloud portal open and copy the Single Sign On URL from the Service Provider Metadata
14. In the browser tab that you're using for Okta, paste the Single Sign On URL into the Single sign on URL field
15. Under Single sign on URL, Use this for Recipient URL and Destination URL should already be checked by default
16. Ensure the following configurations are set in your Okta portal:
    • Name ID format should be set to EmailAddress
    • Application username should be set to Email
17. Click Show Advanced Settings at the bottom of the page to continue 
    • Response should be set to Signed
    • Assertion Signature should be set to Signed
    • Assertion Encryption should be set to Unencrypted
    • All other settings can remain in their default state
18. Scroll to the bottom of the page and click Next
19. Click Finish
20. In the middle of the page, you'll see a message that SAML has not yet been configured; click View Setup Instructions 
21. You'll come to a page explaining how to configure SAML 2.0 for your application
22. Go back to the Email Cloud portal and click Next to get to the Identity Provider Metadata page
23.  Select Enter Manually 
24. Go back to the Okta portal and copy the Identity Provider Issuer
25. In the Email Cloud portal, paste the Identity Provider Issuer from Okta into the Entity ID field
26. Go back to the Okta portal and copy the Identity Provider Single Sign-On URL
27. In the Email Cloud portal, paste the Identity Provider Single Sign-On URL from Okta into the Single Sign On URL field
28. Go back to the Okta portal and click Download certificate
29. In the Email Cloud portal, next to X.509 Certificate, click Upload, then select the certificate you downloaded from Okta
30. Next to Mailbox Attribute, select the radio button for Name ID; this is an email address
31. Click Next 
32. On the Test screen, there are multiple steps:
    1. Copy the login link provided in Step 1
    2. Open an Incognito browser tab and navigate to the login link
    3. It will simulate a login screen that should look similar to your Okta admin portal 
       • You will need to have manually created identical users in both Okta and Email Cloud

1. Log in with your Okta account as directed in Step 2
2. Once you log in successfully, go back to your Email Cloud admin portal browser tab and you should see the following test results:
   • If you have any errors in Step 3, refer to SAML SSO Error Codes and select Redo Test, noting that you will need to copy the new login link provided in Step 1

1. Once all SAML Results pass validation in Step 3, click Next
2. On the SAML Configuration Summary page, you'll have the option to require all of your users to login via SAML only by selecting Enforce SAML Authentication for End Users
   • If you opt to enforce SAML for all of your end-users, a window will pop up asking you to confirm your choice; select OK
3. Click Save & Enable to save your configuration and enable SAML
   • You can also select Save to save your configuration and enable SAML at a later time

SAML SSO with Okta has now been configured with Email Cloud. Whenever you click SAML on the left-side menu, you'll see a page that looks similar to this:

Access Email Cloud with SSO

Once a user is signed in to Okta, they will only need to enter their email address to access their email.

1. Navigate to your Email Cloud login portal
2. Click Single Sign On (SSO)  
3. Enter your email address and click Continue

That's it!

1. Log in to the Email Cloud portal
2. On the left-side menu, find Service Settings, then select SAML
3. Click Configure SAML
4. Open a separate browser tab and navigate to your OneLogin admin portal
5. In your OneLogin portal, find the application details under Configuration in the left-side menu
6. Go back to the browser tab that has your Email Cloud portal open and copy the Entity ID from the Service Provider Metadata
7. In the browser tab that you're using for OneLogin, paste the Entity ID into the Audience (EntityID) field
8. Go back to the browser tab that has your Email Cloud portal open and copy the Single Sign On URL from the Service Provider Metadata
9. In the browser tab that you're using for OneLogin, paste the Single Sign On URL into the ACS (Consumer) URL field
10. Paste the same Single Sign On URL into the Recipient field in your OneLogin portal
11. Ensure the following configurations are set in your OneLogin portal:
    • SAML nameID format = Email
    • SAML signature element should be either Assertion or Both from the drop-down menu
12. Go back to the Email Cloud portal and click Next to get to the Identity Provider Metadata page
13. In the OneLogin portal, in the top-right, choose SAML Metadata from the More Actions drop-down menu to download an XML file
14. Go back to the Email Cloud portal and upload the XML file you  just created from OneLogin; this will auto-populate the IDP metadata
15. Next to Mailbox Attribute, select the radio button for Name ID; this is an email address
16. Click Next 
17. On the Test screen, there are multiple steps:
    1. Copy the login link provided in Step 1
    2. Open an Incognito browser tab and navigate to the login link
    3. It will simulate a login screen that should look similar to your OneLogin admin portal
    4. Log in with your OneLogin account as directed in Step 2
    5. Once you log in successfully, go back to your Email Cloud admin portal browser tab and you should see the following test results:
       • If you have any errors in Step 3, refer to SAML SSO Error Codes  and select Redo Test, noting that you will need to copy the new login link provided in Step 1
    6. Once all SAML Results pass validation in Step 3, click Next
    7. On the SAML Configuration Summary page, you'll have the option to require all of your users to login via SAML only by selecting Enforce SAML Authentication for End Users
       • If you opt to enforce SAML for all of your end-users, a window will pop up asking you to confirm your choice; select OK
    8. Click Save & Enable to save your configuration and enable SAML
       • You can also select Save to save your configuration and enable SAML at a later time

SAML SSO with OneLogin has now been configured with Email Cloud. Whenever you click SAML on the left-side menu, you'll see a page that looks similar to this:

Access Email Cloud with SSO

Once a user is signed in to OneLogin, they will only need to enter their email address to access their email.

1. Navigate to your Email Cloud login portal
2. Click Single Sign On (SSO)  
3. Enter your email address and click Continue

That's it!

If you subscribe to Entra ID for User Management as well and haven't already set up Email Cloud to sync user and group accounts that belong to your managed domain, refer to Related Articles for full details. The following instructions assume that Entra ID and Email Cloud are already syncing users.

1. Log in to the Email Cloud portal
2. On the left-side menu, find Service Settings, then select SAML
3. Click Configure SAML
4. Open a separate browser tab and navigate to your Azure admin portal
5. In your Azure portal, under Azure Services, select Enterprise Applications
6. Click New Application at the top
7. On the Browse Entra ID Gallery page, click Create your own application
8. Azure will ask you to name your app and how you will be using your new application; add your desired app name in the appropriate field, select Integrate any other application you don't find in the gallery, then click Create at the bottom
9. In the left-side menu, under Manage, click Single sign-on
10. Select Upload metadata file
11. Go back to the browser tab that has your Email Cloud portal open and click download XML from the Service Provider Metadata page
12. In the browser tab that you're using for Azure, click Select a file and navigate to the XML file you downloaded from Email Cloud
13. Click Add and it will automatically populate the Basic SAML Configuration (Entity ID and Assertion URL)
14. Under User Attributes & Claims, click Edit
15. Name identifier format should be Email address
16. Source should be Attribute
17. Source attribute has two possible options:
    • user.userprincipalname should only be used if you know for sure the domain in the userprincipalname is a managed domain in Email Cloud
    • user.mail should be used if the domain in the userprincipalnameis not a managed domain in Email Cloud
      • Visit Microsoft Docs for full details on Entra ID UserPrincipalName Population
18. Click Save
19. Scroll down, under SAML Signing Certificate, and click Download next to Federation Metadata XML
20. Go back to the Email Cloud portal and click Next to get to the Identity Provider Metadata page
21. Upload the XML file you just created from Azure by dragging and dropping the XML file or navigating to where you downloaded the file; this will auto-populate the IDP metadata 
     
22. Next to Mailbox Attribute, select the radio button for Name ID; this is an email address
23. Click Next 
24. On the Test screen, there are multiple steps:
    1. Copy the login link provided in Step 1
    2. Open an Incognito browser tab and navigate to the login link
    3. It will simulate a login screen that should look similar to your Azure admin portal 
    4. Log in with your Azure account as directed in Step 2
    5. Once you log in successfully, go back to your Email Cloud admin portal browser tab and you should see the following test results:
       • If you have any errors in Step 3, refer to SAML SSO Error Codes  and select Redo Test, noting that you will need to copy the new login link provided in Step 1
    6. Once all SAML Results pass validation in Step 3, click Next
    7. On the SAML Configuration Summary page, you'll have the option to require all of your users to login via SAML only by selecting Enforce SAML Authentication for End Users
       • If you opt to enforce SAML for all of your end-users, a window will pop up asking you to confirm your choice; select OK
    8. Click Save & Enable to save your configuration and enable SAML
       • You can also select Save to save your configuration and enable SAML at a later time

SAML SSO with Azure has now been configured with Email Cloud. Whenever you click SAML on the left-side menu, you'll see a page that looks similar to this:

Access Email Cloud with SSO

Once a user is signed in to Azure, they will only need to enter their email address to access their email.

1. Navigate to your Email Cloud login portal
2. Click Single Sign On (SSO)  
3. Enter your email address and click Continue

That's it!