To help you, here is a step-by-step guide to creating the desired function. Possible additional functionalities are not considered here.
The degree of the safety measures set here must, if necessary, be determined by the operator of the SEPPmail Secure E-Mail Gateway themselves and be adapted to their circumstances.
Procedure:
(version of 12/07/2023)
Microsoft side Configuration
•Login at the Microsoft 365 admin center (https://admin.microsoft.com/) as a user with at least the role "Cloud Application Administrator".
•In the navigation menu on the right (if necessary, click "Show all...") under "Admin centers" click on "Entra Domain Services". "My Dashboard" opens.
•To the right of "My Dashboard", again click on "Entra Domain Services". Under "Dashboard >", the "Overview"opens.
•To the right, click on "App registrations".
•Clicking on the tab "+ New registration" opens the menu "Register an application"
oUnder "*Name" enter a descriptive name for the future connection.
(The name should be noted in parallel as "IDP service name").
|
Note: The APP name will later be displayed in the GINA GUI when accessing the user data. Therefore a name that signals the use case and the origin of the APP is recommended, for example •contoso.eu - secure email •contoso.eu - GINA login
|
oTo ensure that only users of one's own organisation, that is of one's own AAD, can authenticate themselves via this variant, it is necessary to specify a user name and password under "Supported account types" "Accounts in this organizational directory only".
oUnder "Redirect URI" in the drop-down menu "Select platform" select "Web" and as "URI" enter the full URL of the corresponding GINA Domain as displayed in the note "Note: If you want to show the GINA login page by default, enter "https://.../web.app" (without the quotes)" above the input field Default Forward Page.
|
If the access should be used for several GINA Domains, their "URI" might be entered later. |
oThe entries are then to be saved via the "Register" button.
(The "Application ID" (NOT the Object ID !) should be noted in parallel as "ID").
•Switch to the tab "Endpoints" .
oIn the "Endpoints" to the right, navigate to "Federation metadata document" and download the XML file via the link below and save it in a path that can be accessed later from the administration interface of the SEPPmail Secure E-Mail Gateway.
(File name and path should be noted in parallel as "IDP metadata XML file").
• In the side menu of the "Dashboard", click on "API permissions".
oIn the "Configured permissions" displayed to the right, in the table below under "API / Permissions name" "Microsoft Graph" and below of this, usually only the authorisation "UserRead" is displayed.
The authorisation "UserRead" does not contain the right to read the email address, which is, however, elementary for the process.
•In the side menu of the "Dashboard", click on "Token configuration".
oIn the "Optional claim" displayed to the right, add a claim via the tab "+ Add optional claim".
▪By this, the menu "Add optional claim"opens on the right, where the radio button "SAML" is to be selected.
▪In the table below, check the claim "email".
▪By clicking the "Add" button, a note appears on top of the menu that for this action in "Microsoft Graph", the authorisation "email" must be set.
▪In the note of the checkbox, check "Turn on the Microsoft Graph email permission (required for claims to appear in token)." and
▪confirm with "Add".
•In the side menu of the "Dashboard", click again on "API permissions".
oIn the "Configured permissions" displayed on the right, in the table under "API / Permissions name" "Microsoft Graph", the authorisations "UserRead" and "email" should be listed.
•Clicking on the "Overview" in the side menu of the "Dashboard", the "Essentials"open.
oWrite down the "Application (client) ID" as "SP Entity ID".
SEPPmail Secure E-Mail Gateway side configuration:
•Log on to the administration interface.
•Switch to the menu GINA Domains.
•In the table of section Domains under GINA name, click on the GINA Domain to be configured.
•In the next menu , navigate to the section IDP settings .
•In the section SAML authentication, create a new connection via New SAML authentication .
oCheck the option Authenticate GINA users from this domain with SAML to activate it
oDpending on the case (see also GINA Webmail (optional) Initial Message Writing, as well as Large File Transfer (LFT) Delivery/Sending Via GINA Webmail, Delivery/Sending via SEPPmail Microsoft Outlook Add-In and Delivery/Sending By External Sender and for Internal Mail Encryption (IME) SEPPmail IME with the exclusive utilisation of the GINA technology and SEPPmail IME 1.0), the option Automatically create GINA account if user can authenticate with SAML should also be activated.
oUnder Used by managed domains select the Managed domains to which the GINA Domain is allocated and which should be available for authentication.
oIDP service name Fill in the "IDP service name" with the noted down information from the Microsoft side configuration.
oFor IDP metadata XML file select the XML file from the path noted for "IDP metadata XML file".
oUnder SP Entity ID "spn:" followed by the "Application (client) ID", enter the noted down information from the Microsoft side configuration.
oUnder Email attribute "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" is to be entered.
oUnder Name attribute "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" is to be entered.
oUnder Login button CSS class(es) "btn-default idp-btn" is to be entered.
oConfirm the configuration by clicking on Add.
