The images in this article reflect the new MPP User Interface, which could differ from your end user experience. Please review this article for details on switching to the new UI.
This article provides information on configuring Single Sign-On (SSO) for the Mimecast Personal Portal, including IdP-initiated and SP-initiated SAML SSO setups and enabling Multi-Factor Authentication.
Configuring Single Sign-On using a Third-Party Identity Provider
Working With Your Identity Provider
Providing Information to Your Identity Provider
Before configuring Single Sign-On settings, you must work with your Identity Provider to add support for Mimecast. Some providers (e.g., OneLogin, Okta, or Centrify) may have Mimecast apps in their application catalogs. However, Mimecast is not able to provide support for these as their implementation is out of Mimecast's control. Consult directly with your Identity Provider if you need any assistance. The following information may be useful for your Identity Provider:
| Field / Option | Description |
| SAML Version | Mimecast only supports SAML 2.0. Your Identity Provider must also support this. |
| Service Provider Initiated Request: Binding Type | Service Provider Initiated SAML requests from Mimecast use a POST binding. |
| Service Provider Initiated Request: Issuer |
While your 3rd party service provider may suggest adding https:// before the <saml:Issuer> value, Mimecast requires this to be left off(with the Exception of Microsoft Azure/Entra). Ensure you enter the appropriate value for your <saml:Issuer> as displayed below. If you have another Identity Provider that requires https:// in the <saml:Issuer> value, please open a support ticket.
|
| Service Provider Initiated Request: AssertionConsumerUrl | The AssertionConsumerServiceURL value in a Service Provider Initiated SAML request from Mimecast will differ depending on the Mimecast grid in which your organization's Mimecast account is hosted. Below are the expected values for each grid:
|
| Service Provider Initiated Request: RequestedAuthnContext | Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration, these values can be empty or similar to below snippet: It is also possible for the request to only include one <saml:AuthnContextClassRef>. |
| SAML Response: Destination | Mimecast maintains different URLs for Service Provider Initiated and Identity Provider Initiated SAML authentication.
|
| SAML Response: Issuer | The issuer element must be present and contain the value provided by your Identity Provider. This value is also set in the Mimecast configuration in a later step, and the value found in the SAML response must match the value stored in your Mimecast settings. |
| SAML Response: Audience | The SAML response must contain an AudienceRestriction element with a child element called Audience. The value of this element must be set based on the region where your Mimecast account is hosted. Please see the table below for the expected values for each grid:
|
| SAML Response: NameID | The SAML response must contain the NameID element as a child of the Subject element. The value of this element must be the requesting user's primary email address. |
| SAML Response: NotBefore / NotAfter | The SAML response must contain the NotBefore and NotAfter attributes in a Conditions element. The values of these attributes must be within a 1-minute margin of error to the current time; otherwise, the request will be rejected for security reasons. |
| SAML Response: Token Signing Certificate | The SAML response must contain the metadata of your Identity Provider's certificate. This value is also set in the Mimecast configuration in a later step, and the value found in the SAML response must match the value stored in your Mimecast settings. |
Example Service Provider (Mimecast) Initiated Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_64642038fbe3183a186d3341a82c7ae5"
Version="2.0"
IssueInstant="2015-12-15T11:38:55Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://xx-api.mimecast.com/login/saml">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xx-api.mimecast.com.ACCOUNTCODE</saml:Issuer>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Where ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Administration Console.
Example SAML Response
<samlp:Response ID="_233d5c0c-1349-4c2b-b9d7-ea81a372c0e1"
Version="2.0"
IssueInstant="2015-12-10T10:43:01.236Z"
Destination="
https://xx-api.mimecast.com/login/saml"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{issuer}</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_4979d114-89a0-4444-b511-49873d0d822e"
IssueInstant="2015-12-10T10:43:01.236Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>{issuer}</Issuer>
<ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_4979d114-89a0-4444-b511-49863d0d822e">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>jXxm9YqN2re9PxvH1fnc1nCr3mn97OdFrfQfDcqYjeU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JG++KMDC+AzrFNTbO7STsWz1kpvQ8q+05d8wUi5sb9uZE0XC6mdOcjHwQqyEKAHT
UgY/dFdCGckfkz+pRC6Rrd2LEDBGyiAoAslJCUWFaELLlzCV4Vt1ZjTmMo4p6pM+k33hqlzOHV/gpqY
FKnVVRVTTvdJ4sqxheF4D4RJcdo9YH7x65F1U9FX+DtkBSpaBvzYwFxQ2KBW4oTmlAlZ4B0/dEvJ2w92
psywaRLtgVBvO5571xkpVBL7t6UYDfflopLVFhq4+j4UVQdmnWPEA4aUTtVEo3vh/U59mCzNVgpYI
aT/AfYhXggeiN4me2i0/MnikEVzA4PioOmRpYdySOw==
</ds:SignatureValue>
<KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{certificate metadata}</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>{emailAddress}</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2015-12-10T10:48:01.236Z"
Recipient="https://xx-api.mimecast.com/login/saml"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-12-10T10:43:01.236Z"
NotOnOrAfter="2015-12-10T11:43:01.236Z">
<AudienceRestriction>
<Audience>{audience}</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-12-10T10:42:48.779Z"
SessionIndex="_4979d114-89a0-4444-b511-49863d0d822e">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Collecting Information From Your Identity Provider
Before configuring any Mimecast settings, you must gather the following information from your Identity Provider:
| Field / Option | Description |
| SAML Version | Mimecast only supports SAML 2.0. Your Identity Provider must also support this. |
| Federation Metadata URL | Mimecast can import the SAML Issuer, Login URL, and Token Signing Certificate from a URL if your Identity Provider publishes this information in the standard XML format. |
| SAML Issuer | A unique URL that identifies your Identity Provider. SAML responses sent to Mimecast must match this value exactly in the <saml:Issuer> attribute of the SAML response. |
| Login URL | The URL where Mimecast should redirect the user to start the authentication attempt. |
| Logout URL | The URL where Mimecast should redirect the user to when they log out. Mimecast only supports basic redirects here. |
| Supported Authentication Contexts | How users will authenticate against the Identity Provider and what Authentication classes the Identity Provider supports. Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration, these values can be empty or: It is also possible for the request to only include one <saml:AuthnContextClassRef>. |
| Token Signing Certificate Metadata | The Metadata of the certificate issued by your identity provider. |
Configuring Mimecast Settings
Once your Identity Provider is set up to support Mimecast SAML authentication requests and responses, you must configure a Mimecast Authentication profile. This profile is applied to the users that you want to use Single Sign-on using the Applications Settings feature.
SAML Settings
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Select the Authentication Profiles button.
- Either click on:
-
- An Authentication Profile to update it.
- The New Authentication Profile button.
- Enter a Description for the new profile.
- Select the Enforce SAML Authentication for Mimecast Personal Portal option.
- Select your Identity Provider from the Provider drop-down list to see the help text specific to that provider. If your provider is not listed, choose Other.
- If your Identity Provider supports it, enter the Federation Metadata URL of your Identity Provider and select Import to populate all of the required settings automatically.
-
- If Mimecast cannot reach this URL or your Identity Provider does not support this function, you can manually enter the Issuer, Login URL, and Identity Provider Certificate Metadata values.
- When populating the Identity Provider Certificate, trim the Begin and End tags from the certificate metadata.
- Optionally select Monitor Metadata URL. This option requires a valid Metadata URL and will check that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.
Checks are made a maximum of once daily and initiated when a user logs in. If a user with this Authentication Profile applied does not log in on a given day, the metadata will not be checked.
- Optionally specify the Logout URL. Mimecast only supports basic URL redirect logout methods.
- Optionally define which Authentication Context to use. By default, both password-protected and integrated contexts are used.
These settings define the AuthnContextClass used in the SAML request provided by Mimecast and sent to your Identity Provider. Mimecast supports the Password Protected Transport and Windows Integrated contexts, a combination of both or no context.
- Choose to Allow Single Sign On. This setting enables/disables Identity Provider Initiated Sign On.
Defining Permitted IP Ranges
To add an additional layer of security, Mimecast provides optional Permitted IP range settings for the Mimecast Administration Console, Mimecast's end-user applications, and Gateway authentication attempts.
You can configure Permitted IP ranges for the Mimecast Administration Console, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Account | Account Settings.
- Open the User Access and Permissions section.
- In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
You can configure Permitted IP Ranges for end-user applications, by using the following steps:
- Select the checkbox to enable Permitted Application Login IP Ranges.
- In the Permitted Application Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one per line.
- Select Save and Exit to apply the new settings.
You can configure Permitted IP Ranges for Gateway authentication using SMTP or POP:
- Select the checkbox to enable Permitted Gateway Login IP Ranges.
- In the Permitted Gateway Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
- Select Save and Exit to apply the new settings.
Other Options
An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may want to add authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.
Applying the Authentication Profile to an Application Setting
Once your Authentication Profile is complete, you need to reference it in an Application Setting for it to be applied. You can do this, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Select the Application Setting that you want to use.
- Use the Lookup button to find the Authentication Profile you want to reference.
- Click on the Select link on the lookup page.
- Select Save and Exit to apply the change.
Testing Your Configuration
When using service provider-initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL. However, due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.
You can test your configuration and verify that your Authentication Profile has been configured correctly, by using the following steps:
- Open a web browser and navigate to the Mimecast Personal Portal.
- Enter your primary email address.
- You should be redirected to your Identity Provider Login URL specified in the Authentication Profile.
- If required, log on to your Identity Provider.
- You should then be redirected to the Mimecast Personal Portal and granted access.
You can test Identity Provider Initiated Sign On, by using the following steps:
- Navigate to your Identity Provider login page and log in.
- From the published applications page, select the Mimecast Personal Portal application you have created.
- You should be redirected to the Mimecast Personal Portal and granted access.
Configuring Single Sign-On using Azure Active Directory (AD)
Supported Configurations
Mimecast only supports service provider-initiated SSO when using Microsoft Azure AD as an identity provider. With this model:
- Users open Mimecast Personal Portal in a web browser.
- Users enter their primary email address to start the logon process.
- Users are redirected to Microsoft Azure.
- Depending on the user's status, the browser used, and your environment, Microsoft Azure decides if the user is already authenticated.
- If Microsoft Azure decides the user is authenticated, the user is redirected back to Mimecast Personal Portal and granted access.
- If Microsoft Azure decides the user isn't authenticated, they must log on to Microsoft Azure before being redirected back to the Mimecast Personal Portal and granted access.
- If SSO is configured for the Mimecast Personal Portal but not for the Mimecast Administration Console, administrators attempting to logon to the portal won't be able to. Mimecast Personal Portal SSO is dependent on the Mimecast Administration Console SSO. End users aren't affected as they don't have access to the Mimecast Administration Console.
This does not affect non-admin users, as they can log in with SSO to the Mimecast Personal Portal without issue.
Azure My Apps Portal
If you create an application in Microsoft Azure, it is possible for it to be published to the Azure My Apps portal. After following the steps in this guide, the following behavior is supported:
- Users navigate to the Azure My Apps portal and log on.
- Users select the Mimecast application and are redirected to the Mimecast logon page.
- Users enter their primary email address and select Next.
- The user's web browser is redirected to Microsoft Azure, and immediately redirected back to the Mimecast application and granted access, as they will already be authenticated with Microsoft Azure.
Microsoft has created an application to use with Mimecast Personal Portal in the Azure My Apps portal. Whilst this may be useful, Mimecast takes no responsibility for issues that may result from using it. See the Azure Active Directory integration with Mimecast Personal Portal.
Authentication Contexts
An authentication context is defined as part of the SAML request generated by Mimecast and posted to Microsoft Azure after the user enters their primary email address in the Mimecast application. When integrating with Microsoft Azure, Mimecast supports the following contexts:
- Password Protected
- Windows Integrated
- None
The decision on which context to use depends on how your organization is set up:
| Organization Setup | Recommended Authentication Context | Expected behavior |
|---|---|---|
| Microsoft Azure AD / Microsoft 365 Federated with an On Premise ADFS Environment | None | Users will typically be using Internet Explorer on a domain joined computer and expecting to have Windows integrated authentication manage access to your organization's applications. We recommend not setting an Authentication Context in this scenario for the following reasons: Not doing so maintains flexibility for users to use different web browsers and devices to access the Mimecast application. Setting Password Protected in this environment is likely to break user's access when using Internet Explorer. Setting Windows to integrate with this environment is likely to break user's access when using other web browsers or devices. |
| Microsoft Office 2010 | Password Protected | Regardless of the web browser used, users should be logging on to Microsoft Azure using a combination of their email address and password. |
Configuring / Creating an Azure AD Application
See Configure SSO Logins Using Azure Premium.
Configuring Your Mimecast Settings
Once Microsoft Azure is set up to support Single Sign-On, you need to configure an authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature.
You can create an authentication profile, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Click on the Authentication Profiles button.
- Either click on:
-
- An Authentication Profile to update it.
- The New Authentication Profile button to create one.
- Enter a Description for the profile.
- Select Enforce SAML Authentication for Mimecast Web Apps.
- Complete the SAML Settings for Mimecast Web Apps section as follows:
| Field / Option | Setting |
|---|---|
| Provider | Azure Active Directory |
| Metadata URL | Enter the "Federation Metadata URL" co- pied when creating the Azure AD application, and click on the Import button.
Azure AD typically hosts more than one Identity Provider Certificate. Where this is true, a dialog is displayed allowing you to select the certificate you want to use. Select the certificate with the latest Expire On date. |
| Logout URL | Selected
Selecting this isn't necessary, but it greatly increases the chances of success. If not selected, you must correctly select a certificate presented by Microsoft. |
- Select the Authentication Context to use.
- Click on the Save and Exit button.
Defining Permitted IP Ranges
To add a layer of security, we provide optional Permitted IP Range settings for the Mimecast Administration Console, End User Applications, and Gateway authentication attempts.
You can configure Permitted IP ranges for the Mimecast Administration Console, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Account | Account Settings.
- Expand the User Access and Permissions section.
- In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
- Click on the Save and Exit button.
You can configure Permitted IP Ranges for End User Applications by using the following steps:
- Select the Permitted Application Login IP Ranges option.
- Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
- Click on the Save and Exit button.
You can configure Permitted IP Ranges for Gateway authentication using SMTP or POP, by using the following steps:
- Select the Permitted Gateway Login IP Ranges option.
- Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
- Click on the Save and Exit button.
Other Options
An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile. See Authentication Options for information on other authentication methods.
Applying the Authentication Profile to an Application Setting
Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Select the Application Setting that you want to use. Use the Lookup button to find the Authentication Profile you want to reference, and click the Select link on the lookup page.
- Click on the Save and Exit button.
Testing Your Configuration
When using service provider initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL. However due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.
You can test your configuration and verify that your Authentication Profile has been configured correctly, by using the following steps:
- Open a web browser and navigate to the Mimecast Personal Portal.
- Enter your primary email address.
- You should be redirected to the Microsoft Azure Login URL specified in the Authentication Profile.
- If required, log on to Microsoft Azure.
- You should be redirected to the Mimecast Personal Portal, and granted access.
Configuring Single Sign-On using Active Directory Federation Services (AD FS)
The information below explains how to configure Single Sign-On for the Mimecast Personal Portal using Active Directory Federation Services (AD FS) as an Identity Provider. The following AD FS versions are supported:
- v4.0 on Windows Server 2016
- v3.0 on Windows Server 2012 R2
- v2.1 on Windows Server 2012
- v2.0 on Windows Server 2008 R2
Creating a Relying Party Trust
You can create a relying party trust, by using the following steps:
- Open the AD FS Management Console on the server.
- Expand the Trust Relationships node.
- Select Relying Party Trusts.
- Select Add Relying Party Trust... from the Actions pane on the right-hand side of the console.
- Click Next to navigate to the Select Data Source page.
- Select the Enter Data About the Relying Party Manually option.
- Click the Next button to navigate to the Specify Display Name page.
- Enter a Display Name (e.g., Mimecast MPP).
- Click the Next button until you reach the Choose Issuance Authorization Rules page.
The Choose Profile page can be left with the default AD FS profile selected. Likewise, the Configure Certificate and Configure URL pages can be left blank.
- Enter a Relying Party Trust Identifier using the value for the region where your Mimecast account is hosted from the list below:
• ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Mimecast Administration Console. We recommend creating three relying party trusts, each with a different trusted URL endpoint.
• AD FS suggests adding https:// before the Relying Party Trust Identifier value; Mimecast requires this to be left off.
• Ensure you enter the appropriate value into your Relying Party Trust Identifier field as displayed below.
Region Value Europe (Excluding Germany) eu-api.mimecast.com.ACCOUNTCODE Germany de-api.mimecast.com.ACCOUNTCODE United States of America us-api.mimecast.com.ACCOUNTCODE Canada ca-api.mimecast.com.ACCOUNTCODE South Africa za-api.mimecast.com.ACCOUNTCODE Australia au-api.mimecast.com.ACCOUNTCODE Offshore jer-api.mimecast.com.ACCOUNTCODE USPCOM uspcom-api.mimecast-pscom-us.com.ACCOUNTCODE - Permit All Users to access the relying party trust.
- Click the Next button to navigate to the Ready to Add Trust page.
- Click the Next button to confirm you are ready.
- Click the Finish button.
Configuring the Relying Party Trust
You can configure the relying party trust, by using the following steps:
- Right-click the Created Trust.
- Click on the Properties menu item.
- Click on the Endpoints tab.
- Click the Add button.
- Complete the Add an Endpoint settings to support Identity Provider Initiated Authentication and allow users to access the Mimecast Personal Portal from your AD FS portal:
Field / Option Value Endpoint Type SAML Assertion Consumer Binding Post Set the Trusted URL as the Default Enabled Index 0 Trusted URL for IdP-Initiated Logins Use the value for the region where your Mimecast account is hosted from the table below: Region URL Europe (Excluding Germany) https://eu-api.mimecast.com/login/sso/mpp Germany https://de-api.mimecast.com/login/sso/mpp United States of America https://us-api.mimecast.com/login/sso/mpp Canada https://ca-api.mimecast.com/login/sso/mpp South Africa https://za-api.mimecast.com/login/sso/mpp Australia https://au-api.mimecast.com/login/sso/mpp Offshore https://jer-api.mimecast.com/login/sso/mpp USPCOM https://uspcom-api.mimecast-pscom-us.com/login/sso/mpp - Click the OK button.
- Complete the Add an Endpoint settings to support Service Provider Initiated Authentication to allow users to access the Mimecast Personal Portal by entering their email address into the Mimecast Personal Portal login page. Use the same settings as for Identity Provider Initiated Authentication with the following exception
The Trusted URL in the following (Index 1) table should not be used as default. The default settings should be taken from the table above (Index 0)
| Field / Option | Value | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Index | 1 | ||||||||||||||||||
| Trusted URL for SP-Initiated logins | Use the value for the region where your Mimecast account is hosted from the table below:
|
The Choose Profile page can be left with the default AD FS profile selected. Likewise, the Configure Certificate and Configure URL pages can be left blank.
- Click the OK button twice to complete the configuration.
Editing Claims Rules
You can edit the claim rules, by using the following steps:
- Click on the Relying Party Trust from the Trust Relationships | Relying Party Trusts node.
- Click on the Edit Claims Rules... node in the Actions pane.
- Click on the Add Rule button in the Issuance Transform Rules tab.
- Ensure the Send LDAP Attributes as Claims option is selected.
- Click on the Next button.
- Enter a Claim Rule Name (e.g., Email Address as Name ID).
- Select Active Directory as your attribute store.
- Add a Rule as displayed below:
| LDAP Attribute | Outgoing Claim Type |
|---|---|
| E-Mail-Addresses | Name ID |
- Once complete, your Claims Rule should look like this:
- Click on the Finish button.
Configuring Mimecast Settings
Once your AD FS server is configured to support the integration, you must configure an Authentication Profile using the settings below.
| Field / Option | Description |
|---|---|
| Description | Provide a description to enable you to quickly identify it (e.g., ADFS Single Sign On). |
| Enforce SAML Authentication for the Mimecast Personal Portal | Select this option. Once selected, the SAML Settings are displayed. |
| Provider | Select "AD FS" from the drop-down list. |
| Metadata URL | Enter the Federation Metadata URL of your AD FS environment. This will always be "http://<server>/FederationMetadata/2007-06/FederationMetadata.xml" (where <server> is the FQDN of your AD FS server).
These automatically completed fields can be entered manually if we cannot reach the URL. When populating the "Identity Provider Certificate (Metadata)" field, trim the Begin and End tags from the certificate metadata. |
| Monitor Metadata URL | If selected, this option requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. This is designed to prevent unexpected issues when these settings change in AD FS.
Checks are made a maximum of once daily and are initiated when a user logs on. The metadata is not checked if a user with this Authentication Profile applied does not log on on a given day. |
| Logout URL | Do not select this option. We only support basic URL redirect logout methods. AD FS is known to require a more advanced method that is not currently supported. |
| Use Passport Protected Contexts | Optionally define which authentication context to use. By default, both password-protected and integrated contexts are selected. These settings define the AuthNContextClass used in the SAML request provided by Mimecast and sent to your AD FS log-on URL. In addition, we support the Password Protected Transport and Windows Integrated contexts or a combination. |
| Use Integrated Authentication Context | |
| Allow Single Sign On | Select this option to enable single sign-on. |
Defining Permitted IP Ranges
To add a layer of security, Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, End User Applications, and Gateway authentication attempts.
You can configure Permitted IP ranges for the Mimecast Administration Console, by using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Account | Account Settings.
- Open the User Access and Permissions section.
- Enter the Public IP Address Ranges you want to restrict access to in the "Admin IP Ranges" field in CIDR format, one range per line.
You can configure Permitted IP Ranges for End User Applications, by using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Click on the Authentication Profiles button.
- Enable the Permitted Application Login IP Ranges option.
- Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
- Click on the Save and Exit button.
You can configure Permitted IP Ranges for Gateway authentication using SMTP or POP, by using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Click on the Authentication Profiles button.
- Click on the Permitted Gateway Login IP Ranges option.
- Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
- Click on the Save and Exit button.
Applying the Authentication Profile to an Application Setting
An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile. Read the Authentication Guides page for information on other authentication methods.
Once your Authentication Profile is complete, you need to reference it in an Application Setting for it to be applied:
- Log on to the Mimecast Administration Console.
- Navigate to Users & Groups | Applications.
- Select the Application Setting that you want to use.
- Use the Lookup button to find the Authentication Profile you wish to reference.
- Click the Save and Exit button.
Testing the Configuration
When using service provider-initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL, by using the following steps.
However, due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.
- Open a Web Browser.
- Navigate to the Mimecast Personal Portal URL.
- Enter your Primary Email Address. You should be redirected to your AD FS login URL specified in the Authentication Profile.
- If required, log in to your AD FS environment. You should be redirected to the Mimecast Personal Portal and granted access.
You can test Identity Provider Initiated Sign On, by using the following steps:
- Navigate to your AD FS Login Page and log in.
- From the published applications page, select the Mimecast Personal Portal application you've created. You should be redirected to the Mimecast Personal Portal and granted access.
Comments
Please sign in to leave a comment.