This article contains information on configuring Single Sign-On (SSO) for Mimecast applications, detailing steps for working with Identity Providers, setting SAML parameters, and applying Authentication Profiles in different Mimecast environments.
Single Sign-On is supported in the following Mimecast End User Applications:
- Mimecast for Outlook
- Mimecast Mobile
- Mimecast for Mac
- Mimecast Partner Portal
Ensure you read SAML For End User Applications, to learn about the impact of enabling this setting.
Also see:
Working With Your Identity Provider
Providing Information to Your Identity Provider
Before configuring Single Sign-On settings you must work with your Identity Provider to add support for Mimecast. Some providers, for example, OneLogin, Okta, or Centrify may have Mimecast apps in their application catalogs. However, Mimecast is not able to provide support for these as their implementation is out of Mimecast's control. Please consult directly with your Identity Provider if you need any assistance.
The following information may be useful for your Identity Provider:
| Field | Description |
|---|---|
| SAML Version | Mimecast only supports SAML 2.0. Your Identity Provider must also support this. |
| Service Provider Initiated Request: Binding Type | Service Provider Initiated SAML requests from Mimecast use a POST binding. |
| Service Provider Initiated Request: Issuer |
While your third-party service provider may suggest adding https:// before the <saml:Issuer> value, Mimecast requires this to be left off. The <saml:Issuer> value in a Service Provider Initiated SAML request from Mimecast will be different depending on the Mimecast grid that your organization's Mimecast account is hosted. Below are the expected values for each grid:
Where ACCOUNTCODE is your unique Mimecast account code, as specified in the Account | Account Settings page of the Mimecast Administration Console. |
| Service Provider Initiated Request: AssertionConsumerUrl |
The AssertionConsumerServiceURL value in a Service Provider Initiated SAML request from Mimecast will be different depending on the Mimecast grid that your organization's Mimecast account is hosted. Below are the expected values for each grid:
|
| Service Provider Initiated Request: RequestedAuthnContext |
Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration these values can be empty or: <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" It is also possible for the request to only include one ;<saml:AuthnContextClassRef>. |
| SAML Response: Destination |
The Destination URL's for Service Provider Initiated SAML authentication attempts will be different depending on the Mimecast grid that your organization's Mimecast account is hosted. Below are the expected values for each grid:
|
| SAML Response: Issuer | The issuer element must be present and contain the value provided by your Identity Provider. This value is also set in the Mimecast configuration in a later step and the value found in the SAML response must match the value stored in your Mimecast settings. |
| SAML Response: Audience |
The SAML response must contain an AudienceRestriction element with a child element called Audience. The value of this element must be set based on the region where your Mimecast account is hosted. Please see the table below for the expected values for each grid:
Where ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console. |
| SAML Response: NameID | The SAML response must contain the NameID element as a child of the Subject element. The value of this element must be the requesting user's primary email address. |
| SAML Response: NotBefore / NotAfter | The SAML response must contain the NotBefore and NotAfter attributes in a Conditions element. The values of these attributes must be within a 1-minute margin of error to the current time otherwise the request will be rejected for security reasons. |
| SAML Response: Token Signing Certificate | The SAML response must contain the metadata of your Identity Provider's certificate. This value is also set in the Mimecast configuration in a later step and the value found in the SAML response must match the value stored in your Mimecast settings. |
Example Service Provider (Mimecast) Initiated Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_64642038fbe3183a186d3341a82c7ae5"
Version="2.0"
IssueInstant="2015-12-15T11:38:55Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://xx-api.mimecast.com/login/saml">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xx-api.mimecast.com.ACCOUNTCODE</saml:Issuer>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>Where ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Administration Console.
Example SAML Response
<samlp:Response ID="_233d5c0c-1349-4c2b-b9d7-ea81a372c0e1"
Version="2.0"
IssueInstant="2015-12-10T10:43:01.236Z"
Destination="https://xx-api.mimecast.com/login/saml"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">{issuer}</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_4979d114-89a0-4444-b511-49873d0d822e"
IssueInstant="2015-12-10T10:43:01.236Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>{issuer}</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_4979d114-89a0-4444-b511-49863d0d822e">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>jXxm9YqN2re9PxvH1fnc1nCr3mn97OdFrfQfDcqYjeU=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JG++KMDC+AzrFNTbO7STsWz1kpvQ8q+05d8wUi5sb9uZE0XC6mdO
cjHwQqyEKAHTUgY/dFdCGckfkz+pRC6Rrd2LEDBGyiAoAslJCUWFaELLlzCV4Vt1ZjTmM
o4p6pM+k33hqlzOHV/gpqYFKnVVRVTTvdJ4sqxheF4D4RJcdo9YH7x65F1U9FX+DtkBS
paBvzYwFxQ2KBW4oTmlAlZ4B0/dEvJ2w92psywaRLtgVBvO5571xkpVBL7t6UYDfflopL
VFhq4+j4UVQdmnWPEA4aUTtVEo3vh/U59mCzNVgpYIaT/AfYhXggeiN4me2i0/MnikEVzA
4PioOmRpYdySOw==
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{certificate metadata}</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>{emailAddress}</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2015-12-10T10:48:01.236Z"
Recipient="https://xx-api.mimecast.com/login/saml"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-12-10T10:43:01.236Z"
NotOnOrAfter="2015-12-10T11:43:01.236Z">
<AudienceRestriction>
<Audience>{audience}</Audience>n
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-12-10T10:42:48.779Z"
SessionIndex="_4979d114-89a0-4444-b511-49863d0d822e">
<AuthnContext>
<AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>Collect information from your Identity Provider
Before configuring any Mimecast settings, you must gather the following information from your Identity Provider:
| Field | Description |
|---|---|
| SAML Version | Mimecast only supports SAML 2.0. Your Identity Provider must also support this. |
| Federation Metadata URL | Mimecast can import the SAML Issuer, Login URL, and Token Signing Certificate from a URL if your Identity Provider publishes this information in the standard XML format. |
| SAML Issuer | A unique URL that identifies your Identity Provider. SAML responses sent to Mimecast must match this value exactly in the <saml:Issuer> attribute of the SAML response. |
| Login URL | The URL where Mimecast should redirect the user to in order to start the authentication attempt. |
| Logout URL | The URL where Mimecast should redirect the user to when they log out. Mimecast only supports basic redirects here. |
| Supported Authentication Contexts |
How users will authenticate against the Identity Provider, and what Authentication classes the Identity Provider supports. Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration these values can be empty or: <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" It is also possible for the request to only include one <saml:AuthnContextClassRef> |
| Token Signing Certificate Metadata | The Metadata of the certificate issued by your Identity Provider. |
Configuring Mimecast Settings
Once your Identity Provider is set up to support Mimecast SAML authentication requests and responses, you need to configure a Mimecast Authentication Profile. This profile is applied to the users that you want to use Single Sign-on using the Applications Settings feature.
You can configure an Authentication Profile for SAML, by using the following steps:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Select the Authentication Profiles button.
- Either select:
-
- An Authentication Profile to update
- The New Authentication Profile button to create one.
- Enter a Description for the profile.
- Select the Enforce SAML Authentication for End User Applications option. The SAML settings are displayed.
- Select your Identity Provider from the provider drop-down list to see help text specific to that provider. If your provider is not listed choose Other.
- If your Identity Provider supports it, enter the Federation Metadata URL of your Identity Provider and select Import to automatically populate all of the required settings.
-
- If Mimecast cannot reach this URL, or if your Identity Provider does not support this function, you can enter the Issuer, Login URL and Identity Provider Certificate Metadata values manually.
- When populating the Identity Provider Certificate you must trim the Begin and End tags from the certificate metadata.
-
Optionally select Monitor Metadata URL. This option requires a valid Metadata URL and will check that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.
Checks are made a maximum of once per day and are initiated when a user logs in. If a user with this Authentication Profile applied does not login on a given day the metadata will not be checked.
- Optionally specify the Logout URL. Mimecast only supports basic URL redirect logout methods.
- Optionally define which Authentication Context to use. By default both password protected and integrated contexts are used.
These settings define the AuthnContextClass that is used in the SAML request provided by Mimecast and sent to your Identity Provider. Mimecast supports the Password Protected Transport and Windows Integrated contexts, a combination of both, or no context. - Click on Save and Exit.
Optionally Define Permitted IP Ranges
To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, Mimecast's End-user Applications, and Gateway Authentication attempts.
You can configure Permitted IP ranges for the Mimecast Administration Console, by using the following steps:
- Log on to the Mimecast Administration Console.
- Navigate to Account | Settings.
- Open the User Access and Permissions section.
- In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
You can configure Permitted IP Ranges for End User Applications, by using the following steps:
- Select the checkbox to enable Permitted Application Login IP Ranges.
- In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
- Click Save and Exit to apply the new settings.
You can configure Permitted IP Ranges for Gateway authentication using SMTP or POP, by using the following steps:
- Select the checkbox to enable Permitted Gateway Login IP Ranges.
- In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
- Click Save and Exit to apply the new settings.
Other Options
An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile.
Apply the Authentication Profile to an Application Setting
Once your Authentication Profile is complete, you need to reference it in an Application Setting so it can be applied. To do this:
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Select the Application Setting that you want to use.
-
Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
- Click Save and Exit to apply the change.
Next Steps
Should you want to run a test before rolling it off to all end-users, use the followings steps to create an Application Setting Profile for testing 2FA on a group of users:
Create a Profile Group
- Log in to the Mimecast Administration Console.
- Navigate to Directories | Profile Groups | Create a Profile group | Build | Add email address.
- Add the users that will be using SSO to this specific profile group.
- Click on Save and Exit. See Managing Groups.
Create an Authentication Profile
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications | Authentication Profile | New Authentication Profile.
- Add a Description.
- Select 2-Step Authentication – (Email or SMS – depending on which option you prefer if this is needed for this profile).
- Click on Save and Exit. See Configure Authentication Profiles.
Create an Application Settings Profile
- Log in to the Mimecast Administration Console.
- Navigate to Services | Applications.
- Click on New Application Settings.
- Under General:
-
- Description: Add a Description.
- Group: Use the Profile Group you just created.
- Authentication Profile: Use the Authentication Profile you just created.
- Click on Save and Exit.
You can test your configuration and verify that your Authentication Profile has been configured correctly, by using the following steps:
Mimecast for Outlook
- Open Outlook.
- Open the Account Options dialogue from the Mimecast ribbon, or by clicking the Status Panel in the bottom left of the Outlook window.
- Click the Single Sign-On button followed by the Login button and you should be redirected to your Identity Provider.
- Once successfully authenticated you should be returned to the Account Options page and see that the status is Validated.
Mimecast Mobile / Mimecast for Mac
- Open the application.
- Enter your Email Address.
- Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using your third party provider, you'll be granted access to Mimecast.
Mimecast Partner Portal
- Go to the Mimecast Partner Portal logon page.
- Enter your Email Address.
- Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using your third party provider, you'll be granted access to Mimecast.
Renewing an Expired SAML Certificate
If your SAML certificate expires, follow these steps to renew it:
- In Office 365, navigate to your SSO enterprise App, then go to Single Sign-on.
- Under Section 3 SAML Certs, click the Edit button.
- Click New Certificate and generate a new certificate.
- Save the new certificate.
- Use the ellipsis (•••) next to the newly created inactive certificate to make it active.
- The old certificate will automatically move to an inactive state.
To add the new certificate in the Administration Console,
- Log in to Mimecast Administration Console,
- Navigate to Users & Groups | Applications | Authentication Profiles.
- Select the authentication profile you want to update from the list.
- Scroll to the SAML Configuration for Administrators section and click Import next to the metadata URL if one is present.
- The page should refresh with the updated certificate.
Note the date in the Certificate will Expire on section.
- Click Save and Exit at the top of the page.
Repeat the SAML Configuration steps for Mimecast Web Apps and End User Applications if needed.
Comments
Please sign in to leave a comment.