Overview

Note: SAML SSO is available on Scale and higher plans (i.e. Contract and Enterprise). See our plan comparison here.

If your Mailgun account has Sinch Identity enabled, then you will manage user authentication, which includes SAML configuration, within the Sinch Identity Control Panel rather than the Mailgun Control Panel. 

General configuration

If you click on your profile dropdown in the upper right hand corner of the Mailgun application and see "Manage my Sinch ID" then you will know your user is Sinch ID enabled:

Additionally, if you navigate to your Account Settings page at https://app.mailgun.com/settings/account and visit the Authentication section, you will see the following:

To provide your SAML configuration click on the Manage SAML button, which will take you the Domains page within the Sinch ID portal. From there, click on Add new domain.

And then provide the domain name you will be using to authenticate and click on submit and confirm.

From there you will need to verify that you own the domain name you are wishing to add by adding a TXT record at your DNS provider. Copy the value of the TXT record and either enter it into your DNS provider, or provide it to a coworker who has access and click on OK.

Your domain status will remain In review until the Sinch ID portal is able to verify your TXT record. This could take some time depending on DNS propagation and your settings, but is usually complete in less than 10 minutes. 

Once your DNS record is verified, the status will update to Verified and you can proceed to click on the Manage button for configuration.

From the Domain Details page, click on the Configure Enterprise SSO button to start SAML configuration.

The SSO configuration screen is then displayed:

At a minimum, you must provide a Sign in URL and a Signing Certificate. 

Other metadata you may require is provided in the Connection Info section and the copy icons to the right of the fields allow you to easily copy these strings.

The Advanced settings section allows you to provide more robust signing parameters, specify a protocol binding, and allow IdP initiated sign-ins.

Once you have entered your settings click Save in the bottom right, to commit your changes:

Please note that they may take up to 30 seconds to take effect.

Now that your configuration has been saved, you will have the option to download a copy of the XML metadata for your configuration:

Click Download XML to download a copy of the XML metadata for your configuration.

Once you're done, click the Go back… link at the top of the page. The Domain details page is displayed and the status of your domain has changed to Configured, showing that you have provided your configuration and are ready to enable SSO:

Congratulations! You have now configured and enabled SSO, and users with the given domain will be directed to your IdP.

Enabling SAML SSO

Note: Only Admin users have access to enable/disable SAML on an account. 

Note: You can only enable/disable SAML SSO for a domain that 1) has the SAML settings already configured and 2) shows a domain status of Configured; otherwise, the Enterprise SSO toggle in the Available connections section will be unavailable. 

As for enabling SAML SSO, we'll show you how to do this below:

1. First, log in to the Mailgun Control Panel (if you have not already done so).
2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
3. Next, click the Manage my Sinch ID option located within the Account Settings section. Alternatively, you can use this direct link. 
4. Then, within the Navigation Menu on the left side of the Sinch Identity Control Panel, click the Domains option. (Domains is an option within the SSO configuration section of the Navigation Menu).
5. Select the domain for which you wish to enable SAML SSO.

6. Under the Available connections section, click to toggle-on the Enterprise SSO toggle, which will allow your users to begin authenticating with your IdP via SAML SSO. 

   

7. Additionally, the Username and Password toggle is provided as a fallback method and also uses Sinch ID. Nonetheless, you may disable this option if desired.

Disabling SAML SSO

Note: Only Admin users have access to enable/disable SAML on an account.

Note: You can only enable/disable SAML SSO for a domain that 1) has the SAML settings already configured and 2) shows a domain status of Configured; otherwise, the Enterprise SSO toggle in the Available connections section will be unavailable. 

As for disabling SAML SSO, we'll show you how to do this below:

1. First, log in to the Mailgun Control Panel (if you have not already done so).
2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
3. Next, click the Manage my Sinch ID option located within the Account Settings section. Alternatively, you can use this direct link. 
4. Then, within the Navigation Menu on the left side of the Sinch Identity Control Panel, click the Domains option. (Domains is an option within the SSO configuration section of the Navigation Menu).
5. Select the domain for which you wish to disable SAML SSO.

6. Under the Available connections section, click to toggle-off the Enterprise SSO toggle, which will no longer allow your users to authenticate with your IdP via SAML SSO.

   

7. With SAML SSO disabled, the Username and Password toggle is available to use and utilizes Sinch ID.

Need Support?

Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!