We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

SAML SSO

Table Of Contents
Quick Overview
General Configuration
    Verify The SAML Domain
    Enabling SAML SSO
    Disabling SAML SSO
Okta
    Create An Okta Account (If Needed)
    Create A New Okta App
    Configure The SAML Integration In Okta
    Configure The Attributes In Okta
    Rolemapping Mailgun Roles In Okta
Azure
OneLogin
    Setting Up SAML SSO Using OneLogin
    Configuring Attributes In OneLogin & Rolemapping
Got Questions?

Quick Overview

Note: SAML SSO is available on Scale and above plans. See our plan comparison here.

Using the SAML 2.0 protocol, Mailgun allows you to integrate with your Identity Provider to authenticate users via single sign-on, also known as SSO. Theoretically, as long as your current Identity Provider supports the SAML 2.0 protocol (Okta, Auth0, Onelogin, Azure AD, etc), then you should be able to use your provider with Mailgun. 

Mailgun supports just-in-time (JiT) provisioning, so that when a user logs into Mailgun using our SSO integration, that user automatically becomes a user under your Mailgun account.

In short, this setup process requires the exchange of information between the two systems:

  • Provide Mailgun With The Information Below From Your Identity Provider
    • IdP Entity ID (also known as Identity Provider Issuer)
    • Single Sign-on URL
    • X509 Certificate
  • Provide Your Identity Provider With The Information Below From Mailgun
    • Entity ID
    • Assertion Consumer Service URL
    • Single Logout Service URL

General Configuration

Verify The SAML Domain

In order to set up SAML, you will need to verify that you own your corporate domain (the domain being used in the SAML configuration to log in). There are two methods for verifying your corporate domain on the Mailgun platform:

  • Verified sending domain - if you plan on or are using your corporate domain for sending on Mailgun, you can use our current method of adding SPF and DKIM records to verify the domain as a sending domain on Mailgun. This domain must match the FQDN in your corporate email address used to authenticate. If the domain is already a verified sending domain on your account, no further action is required.
  • TXT record - Mailgun can generate a unique TXT record for you to add to your corporate domain’s DNS that will allow us to verify you own this domain. In order to use this method:
    • Navigate to the SAML Configuration settings page (see the Enabling SAML SSO section below)
    • Enter your corporate domain in the Domain Name field under the Domain TXT Record Generation section
    • Click the Generate button
    • Finally, copy the TXT record from the modal, and add it to your DNS hosting provider for your corporate domain.

Screen Shot 2022-11-08 at 3.45.12 PM.png          Screen Shot 2022-11-08 at 3.45.36 PM.png

Enabling SAML SSO

Note: Only Admin users have access to enable/disable SAML on an account.

As for enabling SAML SSO, we'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
  3. Next, click the Account option. Alternatively, you can use this direct link
  4. On the resulting page and in the Authentication section, click the Setup button for the SAML Auth setting.

Screen Shot 2022-11-08 at 3.46.23 PM.png

Once there, you will find the relevant SAML Provider (SP) Details [i.e. Mailgun details that you provide to your Identity Provider], as well as the Identity Provider (IdP) Details [i.e. Identity Provider details that you provide to Mailgun]. This article goes over the specific information and additional steps needed in the relevant Identity Provider sections (i.e. Okta, Azure, OneLogin, etc.). You will also have the option to Manage Custom Configuration , which allows you to set your User Name Attribute Settings. 

Screen Shot 2022-11-08 at 3.23.12 PM.png

Screen

Disabling SAML SSO

Note: Only Admin users have access to enable/disable SAML on an account.

As for disabling SAML SSO, we'll show you how to do this below:

  1. First, log in to the Mailgun Control Panel (if you have not already done so).
  2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
  3. Next, click the Account option. Alternatively, you can use this direct link
  4. On the resulting page and in the Authentication section, and by the SAML Auth setting, click the Disable button.

Screen Shot 2022-11-08 at 3.45.59 PM.png

 

Of Special Note: Any users that were created prior to activating SAML will be able to log in at https://login.mailgun.com/ with their prior username and password combination for their Mailgun account. Any users that were created using JiT via SAML will need to initiate a password reset at https://login.mailgun.com/recovery/new.

Okta

Create An Okta Account (If Needed)

First, you’ll need an Okta account. If you already have one, great! If not, you can register at https://developer.okta.com and follow the instructions to get a free developer account.

Screen Shot 2022-11-08 at 3.17.01 PM.png

Create A New Okta App

Once you have an Okta account, navigate to Applications on the left-hand navigation pane. On the resulting page, click the Create App integration button.

Screen Shot 2022-11-08 at 3.17.33 PM.png

When the modal pops up, select SAML 2.0 as the sign-on method. The next modal provides the opportunity to give your app a descriptive name and a logo, if you wish, before continuing the process by clicking the Next button.

Screen Shot 2022-11-08 at 3.19.03 PM.png          Screen Shot 2022-11-08 at 3.20.23 PM.png

Configure The SAML Integration In Okta

Next, you'll be presented with various fields. We'll explain what data you should assign to each field:

    • Single sign on URL (Assertion Consumer Service URL in your Mailgun Dashboard)
    • Audience URI (Entity ID in your Mailgun Dashboard)
    • Leave Default RelayState blank
    • Name ID format should be set to EmailAddress
    • Application username should be set to email
    • Update application username on should be set to Create and update

Screen Shot 2022-11-08 at 3.25.04 PM.png

Configure The Attributes In Okta

Note: we ask you to provide Attribute Statements for FirstAndLastName since we will otherwise provide a generic name.

There are three attributes (one of which will be a group attribute) in total that will need to be added. We'll explain what data you should assign to each field:

  • Attribute Statement 1
    • Name: FirstAndLastName
    • Name format: leave as Unspecified
    • Value: user.firstName + " " + user.lastName
    • Note: the special characters and specific spacing in the value above are intentional
  • Attribute Statement 2
    • Name: email
    • Name format: leave as Unspecified
    • Value: user.email
  • Group Attribute Statement 1
    • Name: UserGroup
    • Name format: leave as Unspecified
    • Filter:
      • Drop-down: choose Matches regex in the dropdown
      • Textbox: .*

Screen Shot 2022-11-08 at 3.50.47 PM.png

Rolemapping Mailgun Roles In Okta

Okta organizes users into groups. Typically these groups will organize users by the role they hold within the organization (e.g. Support, Billing, etc). These groups should be mapped to roles within Mailgun as well. The following is a simple example of configuring rolemapping in Mailgun. This configuration will pass the Okta group names in the SAML assertion inside the UserGroup attribute, ultimately allowing Mailgun's rolemapping to decide which role should be assigned to a given user. 

The below screenshot is from Mailgun on the SAML configuration page. In this example, whenever an Okta user has the IdP group attribute (UserGroup) assigned to "Developers", Mailgun in turn will assign the user a "developer" role. A similar example could be an Okta UserGroup of "Supervisors" mapping to the Mailgun role of "admin".

SAMLroleMapping.png

Important things to keep in mind:

  • A user must map to a particular role, or login will not be rejected with an appropriate error message displayed. 
  • Not every Mailgun role needs to have a mapping. For example, if there is no need for you to use the “Analyst” role in Mailgun, leave that mapping blank in the Mailgun Control Panel. 
  • Mailgun’s rolemapping feature only supports case-sensitive string matches. Regex’s are not supported at this time.
  • Account owners can never perform an SP-initiated login by entering their email address at login.mailgun.com. This is to prevent the account owner from locking themselves out. The account owner can perform an IdP-initiated login, however. 
  • It is entirely possible that a user can be in two groups in Okta or simply map to multiple roles in Mailgun. If this happens, Mailgun will observe the higher-priority role of that user. For example, if a user maps to both a “developer” and “admin”, they will be assigned “admin” in Mailgun since it holds higher priority. The roles are given the following priority in descending order:
    • admin
    • developer
    • support
    • billing
    • analyst

Azure

Create An Azure Account (If Needed)

First, you’ll need an Azure Active Directory account and one of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.

. If you already have one, great! If not, you can register at https://azure.microsoft.com/en-us/free/ and follow the instructions to open an account.

  •  

Once you have activated your users within the Mailgun application, you will need to add them to Azure, your identity provider (IdP).

Setting up SAML SSO using Azure

To set up SAML, you will need first to verify that you own your corporate domain (the domain being used in the SAML configuration to log in) on both platforms (Mailgun and Azure).

 

Verifying a domain on Azure Active Directory

Go to your 'Azure Active Directory' and select 'Custom domain names'.

SSO_Azure_EN_24.PNG

Click on 'Add custom domain' and follow the procedure.

SSO_Azure_EN_25.5.png

Once the domain has been added, it will be shown on your 'Custom domain names' page. The status of the domain should be 'Verified' for the SSO to work.

SSO_Azure_EN_25.PNG

 

Verifying a domain on Mailgun

Follow the procedure described here

Once your domain is verified on both sides, let's start setting up SSO authentication between Azure and Mailgun.

 

SSO configuration on Azure

Enter your Azure account and navigate to 'Azure Active Directory'.

SSO_Azure_EN_4.PNG

Once there, click on 'Enterprise applications'.

SSO_Azure_EN_5.PNG

Select 'New application' on top of the screen.

SSO_Azure_EN_6.PNG

Then click on 'Create your own application' and follow the configuration steps.

SSO_Azure_EN_7.PNG

Once you have created your application, click on it...

SSO_Azure_EN_26.PNG

...and select the second option ‘Set up a single sign on”.

SSO_Azure_EN_8.PNG

Choose 'SAML' method for the SSO configuration.

SSO_Azure_EN_9.PNG

On the next page, you will find the relevant Identity Provider details and the forms you will need to complete.

On the first step 'Basic SAML Configuration', you will need to take the relevant Service Provider details from Mailgun, and fill out the marked sections below.

SSO_Azure_EN_12.PNG

 

Provide Mailgun information to Azure

Azure Mailgun
Identifier (Entity ID) Entity ID
Reply URL (Assertion Consumer Service URL) Assertion Consumer Service URL
Logout Url (Optional) Single Logout Service

 

Jump to the third step 'SAML Configuration' and select 'Sign SAML response and assertion' from the dropdown menu under 'Signing option'. The 'Signing Algorithm' field should be left as it is (SHA-256).

SSO_Azure_EN_13.PNG

Don't forget to download the Base64 certificate as you will need it later for the Mailgun configuration.

SSO_Azure_EN_27.PNG

When you have completed steps 1 and 3, you will need to do the same on the Mailgun side.

 

To access the SAML configuration on Mailgun, click on Account Settings --> SAML Auth (SSO) on the Account Information page.

SAML1.1.PNG

Select 'Setup SAML Auth'

SAML4.PNG

You will then find the form you will need to complete.

SAML2.PNG

In order to enable the SSO configuration, all the required fields must be filled with the identity provider details from Azure.

 

Provide Azure information to Mailgun

Mailgun
Azure
Comment
Associated domain(s) - The custom domain name must be added and verified in Azure and Mailjet
IdP Entity ID

Azure AD Identifier

 
Request signing preference SAML Signing Certificate section > Edit > Signing option Should be Sign SAML response and assertion
Single Sign-On URL Login URL  
Single Logout Service URL

Logout URL

 
X.509 certificate Certificate (Base64) Must be downloaded as Base64 and opened in a text editor before so the value can be copied in the required format

 

 

USERS MANAGEMENT

Open your Azure account, go to Azure Active Directory --> Users and click on 'New user'.

SSO_Azure_EN_15.PNG

SSO_Azure_EN_16.5.png

Follow all the steps and add the new user, which will be displayed on the 'Users' page.

SSO_Azure_EN_16.PNG

Now you need to assign the newly created user to the Mailgun application.

Go to the application and select 'Assign users and groups'

SSO_Azure_EN_17.PNG

Then click on 'add user/group'...

SSO_Azure_EN_18.5.png

...and select the user you want to give SSO access to from the list.

SSO_Azure_EN_19.PNG

Once selected and assigned, the user will be displayed under the 'Users and groups' page. All users displayed on this page will have SSO access to your application.

SSO_Azure_EN_18.PNG

 

Role-mapping In Azure

Only map the Roles that will be assigned to the Groups accessing the application.

  1. Click the cog wheel icon to edit each role mapping section.
    saml1.png
  2. IdP Attribute name will be UserGroup
  3. Set the IdP Attributes Value to the Object ID of the Azure AD Group
    saml2.png
    saml3.png

  4. Submit, the role mapping should look similar as below.
    saml4.png

 

 

If all the steps mentioned above have been followed correctly, users with access to your Mailgun application should have no problem logging in via SSO.

 

OneLogin

Setting Up SAML SSO Using OneLogin

Login to your OneLogin Administration page; on the navbar head over to "Applications"
mceclip0.png

In Applications, create your own application by selecting "Add App"

mceclip2.png

You'll be presented with categories on the subsequent page. Head to the search bar and search for "SAML". From the results select "SAML Custom Connector (Advanced)"

mceclip5.png

Give the connector app some details such as a display name, and a description for other admins in your organization to see such as configuration recommendations or processes. You can also choose if you would like to make the app visible to users' OneLogin dashboards/profiles. You can customize the logo using our assets over on our GitHub Repo

mceclip7.png

When you save, you'll land on a similar page with additional options to select from, as seen below.

mceclip0.png

For the next section load your Mailgun SAML details from your dashboard if you haven't had them in another tab/window already. You'll be copying over the Mailgun Service Provider details, note the copy buttons to make sure there are no character format issues or leading/trailing spaces.
mceclip9.png

Copy these over to OneLogin by going to "Configuration"

  • Entity ID will go into the Audience (EntityID) field.
  • Assertion Consumer Service URL (ACS URL) will go into the ACS (Consumer) URL Validator field and the ACS (Consumer) URL field.
  • Single Logout Service will go into the Single Logout URL field
  • NOTE: Mailgun requires BOTH the assertion and response to be signed. You need to change SAML signature element to BOTH.
 

mceclip12.png

Now you will need to provide information from OneLogin to Mailgun. Head over to to "SSO" section. Note the copy buttons to make things easier. mceclip13.png

To copy the X.509 Certificate you will need to click "View Details" and be taken to this page, again note the copy button. Change nothing else, DO NOT HIT DELETE simply navigate back to your app configuration.

mceclip14.png

  • Issuer URL will go in the IdP Entity ID field
  • SAML 2.0 Endpoint (HTTP) will go in the Single Sign-On URL field
  • SLO Endpoint (HTTP) will go in the Single Logout Service URL field
  • X.509 certificate will go into the X.509 certificate field

mceclip15.png

Hit "Update" you should receive toast notifications informing you each field has been updated successfully.

 

Configuring Attributes In OneLogin & Rolemapping

From here you'll need to configure parameters for either platform to be able to target values so roles are assigned as you desire. You'll need to configure an Attribute Name for each role you would like to set up, depending on how your organization handles their Identity Access Management (IAM) these can be the same or different. For more about how to best implement your IAM for your organization connect with your OneLogin support team or engineer.

For the below example we will be configuring against a OneLogin users "Title" as the identifier in OneLogin, you may find your organization utilizes groups, departments, teams, etc.

To start we created "MG.Role" as the Attribute Name and the targeted Value for each to correspond to either.

mceclip16.png

In OneLogin go to "Parameters" you will be creating a custom parameter connector field that matches the Attribute Name over in Mailgun that you chose. For this example, "MG.Role", and ensure "Include SAML Assertion" is toggled on.

mceclip18.png

The page will update and you will be allowed to choose your target OneLogin Value to apply against.

mceclip20.png

Notes:

  • A user must map to a particular role or login will not be allowed and an appropriate error message will be displayed. 
  • Not every Mailgun role needs to have a mapping. For example, if there is no need to have an “Analyst” role log in to Mailgun, just leave that mapping blank in the Mailgun UI. 
  • Mailgun’s role mapping feature only supports case-sensitive string matches. Regex’s are not supported at this time.
  • Account owners can never perform an SP-initiated login flow by entering their email address at login.mailgun.com. This is to prevent the account owner from locking themselves out. The account owner can perform an IdP-initiated login, however. 

Save All your changes. 


Finally, you will need to ensure your desired users are assigned the application you just finished creating. In this example, as I only have a single user, I did so directly in the user details section. You may find your organization's IAM setup with OneLogin may utilize Groups, Departments, Roles, for Role-Based Access Control (RBAC) assignment to apply applications at scale. To configure and assist with ensuring users are assigned appropriately work with OneLogin support. 

mceclip21.png

 

To test things out, it's recommended you create a test user in OneLogin, setup as desired there, and head over to our Login Page IN A NEW INCOGNITO WINDOW. When you sign in as the new user you should be redirected to authenticate the user with OneLogin.
mceclip22.png

To confirm back in your cached browser session (Aka the non-incognito session) navigate to your account security page. Here, if completed successfully, you will see your new user automatically created with a "SAML Auth" flag.

mceclip23.png

Done!

Got Questions?

Mailgun by Sinch has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel.  Our Support Team will be happy to assist!