End User Applications - Configuring SSO Using AD FS

Updated

This guide explains configuring Single Sign-On for end-user applications using Active Directory Federation Services (AD FS) as an Identity Provider. Single Sign-On is supported in the following Mimecast End-user Applications:

  • Mimecast for Outlook.
  • Mimecast Mobile.
  • Mimecast for Mac.
  • Mimecast Partner Portal.
Note: Mimecast's end-user applications use Service Provider (SP)- initiated SAML authentication. Read the Email Security Cloud Gateway—Enforce SAML For End User Applications page to learn about the impact of enabling this.

Single Sign-On is supported in the following AD FS environments:

AD FS Version Host Operating System
4.0 Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
3.0 Windows Server 2012 R2
2.1 Windows Server 2012
2.0 Windows Server 2008 R2

 

Contents

 

Configuring AD FS

Creating a Relying Party Trust

To create a relying party trust:

  1. On your AD FS server, open the AD FS Management Console.
  2. Expand the Trust Relationships node.
  3. Select Relying Party Trusts.
  4. Select Add Relying Party Trust from the Actions pane on the right-hand side of the AD FS management console.
  5. Select Claims Aware and click Start.
  1. On the Select Data Source page of the wizard, select Enter data about the relying party manually and click Next.
  1. Enter a Display Name (e.g. Mimecast End User Apps) and click Next.
  2. Leave the default AD FS Profile selected.
  3. Click on the Next button.
  4. Leave the Configure a Certificate field blank.
  5. Click on the Next button.
  6. Leave the Configure URL blank.
  7. Click on the Next button.
  8. Enter a Relying Party Trust Identifier using the value for the region where your Mimecast Account is hosted from the table below:
    Notes:
    • ACCOUNTCODE is your unique Mimecast account code, as specified in the Account | Account Settings page of the Mimecast Administration Console.
    • While AD FS suggests adding "https://" before the Relying Party Trust Identifier value, Mimecast requires this to be left off. Ensure you enter the appropriate value into your Relying Party Trust Identifier field, as displayed below.
    • We recommend creating three relying party trusts, each with a different trusted URL endpoint.
    Region Description
    Europe (Excluding Germany) eu-api.mimecast.com.ACCOUNTCODE
    Germany de-api.mimecast.com.ACCOUNTCODE
    United States of America us-api.mimecast.com.ACCOUNTCODE
    United States of America (USB) usb-api.mimecast.com.ACCOUNTCODE
    Canada ca-api.mimecast.com.ACCOUNTCODE
    South Africa za-api.mimecast.com.ACCOUNTCODE
    Australia au-api.mimecast.com.ACCOUNTCODE
    Offshore jer-api.mimecast.com.ACCOUNTCODE
    USPCOM uspcom-api.mimecast-pscom-us.com.ACCOUNTCODE
  9. Permit all Users to access the relying party trust and click Next.
  10. Click on the Next button.
  11. Click on the Finish button.
  12. Right click the newly created trust, select Properties.
  13. Navigate to the Endpoints tab.
  1. Select Add.
  2. In the Add an Endpoint dialog, configure the settings to support Service Provider-initiated authentication:
    1. Select SAML Assertion Consumer as the Endpoint Type.
    2. Select POST as the Binding.
    3. Select to Set the Trusted URL as default.
    4. Leave the Index set to 0.
    5. Enter the Trusted URL. Use the value for the region where your Mimecast Account is hosted from the table below:
      Region Trusted URL
      Europe (Excluding Germany) https://eu-api.mimecast.com/login/saml
      Germany https://de-api.mimecast.com/login/saml
      United States of America https://us-api.mimecast.com/login/saml
      United States of America (USB) https://usb-api.mimecast.com/login/saml
      Canada https://ca-api.mimecast.com/login/saml
      South Africa https://za-api.mimecast.com/login/saml
      Australia https://au-api.mimecast.com/login/saml
      Offshore https://jer-api.mimecast.com/login/saml
      USPCOM https://uspcom-api.mimecast-pscom-us.com/login/saml
  3. Select OK to complete the configuration.

 

Editing Claims Rules

To edit the claim rules:

  1. Select the Relying Party Trust from the Trust Relationships | Relying Party Trusts node.
  2. Select Edit Claims Rules from the Actions pane to display the Edit Claims Rules dialog.
  3. On the Issuance Transform Rules tab, select the Add Rule button:
  4. Leave the default Send LDAP Attributes as Claims selected.
  5. Click on the Next button.
  6. Enter a name for the Claim Rule (e.g. Email Address as Name ID).
  7. Select Active Directory as your attribute store.
  8. Add a Rule as displayed below:
    • LDAP Attribute: E-Mail Addresses.
    • Outgoing Cliam Type: Name ID.
  9. Select Finish to complete the configuration. Your Claims Rule should look like this:

 

Configuring Mimecast Settings

Configuring an Authentication Profile

Once your AD FS server is configured to support the integration, you must configure an Authentication Profile using the settings below.

Field / Option Description
Description Provide a description to enable you to easily identify it (e.g. AD FS Single Sign On).
Enforce SAML Authentication for End User Applications Select this option. Once selected, the SAML Settings are displayed.
Provider Select "AD FS" from the drop-down list.
Metadata URL Enter the Federation Metadata URL of your AD FS environment. This will always be "https://<server>/FederationMetadata/2007-06/FederationMetadata.xml" (where <server> is the FQDN of your AD FS server).
Note: These automatically completed fields can be entered manually if we are unable to reach the URL. When populating the Identity Provider Certificate (Metadata) field, trim the Begin and End tags from the certificate metadata.
Monitor Metadata URL If selected, this option requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. This is designed to prevent unexpected issues when these settings change in AD FS.
Note: Checks are made a maximum of once per day and are initiated when a user logs on. If a user with this Authentication Profile applied does not log on a given day, the metadata is not checked.
Logout URL Do not select this option. We only support basic URL redirect logout methods. AD FS is known to require a more advanced method that is not currently supported.
Use Passport Protected Contexts Optionally, define which authentication context to use. By default, both password-protected and integrated contexts are selected. These settings define the AuthNContextClass used in the SAML request provided by Mimecast; and sent to your AD FS log-on URL. We support the Password Protected Transport and Windows Integrated contexts, or a combination of both.
Use Integrated Authentication Context
Allow Single Sign On Select this option to enable single sign-on.

 

Defining Permitted IP Ranges

To add an additional layer of security, Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, End-user Applications, and Gateway Authentication attempts.

To configure Permitted IP ranges for the Mimecast Administration Console:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Account | Account Settings menu item.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for End User Applications:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Services | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Permitted Application Login IP Ranges option.
  5. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  6. Click on the Save and Exit button.

To configure Permitted IP Ranges for Gateway Authentication using SMTP or POP:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Services | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Permitted Gateway Login IP Ranges option.
  5. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  6. Click on the Save and Exit button.

 

Applying the Authentication Profile to an Application Setting

An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Services | Applications menu.
  3. Select the Application Setting that you want to use.
  4. Specify the Authentication Profile you want to reference and click the Select link on the lookup page.
  5. Select Save and Exit to apply the change.

 

Testing the Configuration

To test your configuration and verify that your Authentication Profile has been configured correctly:

Mimecast for Outlook

  1. Open Outlook.
  2. If the logged in user has logged in to the computer using a domain account, your AD FS login URL is part of the Intranet Internet Explorer security zone, and the Outlook profile uses the same domain account:
    • Mimecast for Outlook will attempt to automatically authenticate the user with your organization's AD FS server. There is a timeout of 15 seconds on this attempt.
    • If successful, the user will be authenticated with Mimecast and granted access to the application.
    • If unsuccessful, the user will receive a notification and should complete the following steps:
  3. Open the Account Options dialogue from the Mimecast ribbon or by clicking the Status Panel in the bottom left of the Outlook window.
  4. The user should see the Single Sign-On button available to be selected.
  5. Click the Single Sign-On button followed by the Login button, and you'll be redirected to your AD FS Login URL.
  6. Once successfully authenticated, you'll return to the Account Options page and see that the status is Validated.

 

Mimecast Mobile / Mimecast for Mac

  1. Open the application.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using Active Directory, you'll be granted access to Mimecast.

 

Mimecast Partner Portal

  1. Go to the Mimecast Partner Portal login page.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using Active Directory, you'll be granted access to Mimecast.

See also..

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.