Configure OAuth/SSO - Email User

Do not use an email address for any user which needs to log in with SSO as the username of the Admin user.

Using the information provided by the chosen authentication provider, configure the necessary OAuth settings in Mail Assure:

  1. Log in to Mail Assure with your branded hostname and local Admin credentials
  2. Navigate to Domains Overview and select the domain to enable OAuth for
  3. Under Users & Permissions then open OAuth Settings. The Private brand login / OAuth (Domain) page is displayed
  4. To enable OAuth login, activate the OAuth login toggle button at the top of the page
  5. The Login link is the URL generated by the system for the OAuth login. The URL should contain the branded hostname.

  6. Your service provider will provide the following information to enter:
  7. For specific information on Microsoft 365 and Google Workspace setup, see the Configure SSO/OAuth with Microsoft 365 and Configure SSO/OAuth with Google pages.

    • Provider URL
    • Client ID
    • Client Secret
    • Token Endpoint
    • Authorization Endpoint
    • User info endpoint
    • Jwks Uri - URL for the OAuth Client's JWK Set (JWK) document. If the OAuth Client signs requests to the Server, it contains the signing key(s) the Server uses to validate signatures from the OAuth Client
    • Change password URL (optional) - URL where SSO users can change their passwords. It can contain an optional "redirect_to" token which will be replaced with the actual link to redirect the user after a successful password change
    • Logout URL (optional) - URL where SSO users will be redirected upon logging out. It will get the following parameters: "post_logout_redirect_uri" and "id_token_hint"
    • Use Nonce validation - Select the checkbox to allow this
    • Login button text - This will display an additional login button on the branded URL with the text entered
    • User identification method:
      • Subject - External ID - Will match the OAuth subject with the local "External ID" field - use this when the local username and the remote directory system are not the same, and email is not a suitable choice e.g. telephone number
      • Subject - Username - Will match the OAuth "subject" with the local username - use this when the local username and the one in the remote directory system are identical
      • Verified email - Will match the OAuth email address with the local email address (this is the most common option). This identification method requires both the email and email_verified claim
      • Unique name - Will match the providers unique_name attribute with the local email address
    • Invitation flow (optional):
      • Invitation URL - the URL to use to sign up if the user has no account
      • Redeem invitation URL - the link to use in the sign-up email
  8. Click Save settings