This article describes CyberGraph's Single Sign-On (SSO) feature, which allows end users to authenticate via SSO when reporting messages to Mimecast as Safe, Spam, or Dangerous. When reporting a message as Safe, Spam, or Dangerous, you will need to be authenticated so that your identity information can be added to the report. Authenticating using SSO enables the addition of this identity information to the report.
Considerations
Should you choose to enable the CyberGraph Single Sign-on (SSO) feature, the following needs to be taken into consideration:
-
-
- Within the Administration Console, end users should ensure that the Enforce SAML Authentication for Mimecast Web Apps option is selected for End Users, and the Enforce SAML Authentication for Administrators option should be used for administrators. Note that the Enforce SAML Authentication for End User Applications setting is not applicable for banner reporting.
- For customers with accounts on the Jersey grid only, end users will be asked to provide their Email Address again when clicking on a banner to report a message.
-
Overview
CyberGraph has two ways authentication can be accomplished:
| Authentication Method | Description |
| Default (Login-less / Magic Links) | The information relating to the reporting user is encrypted in the Reporting button's URL. The CyberGraph administrator does not need to configure anything. |
| Single Sign-On | The user authentication relies on integration with the customer's Identity Provider for SAML Authentication. |
You may choose to use either of these methods. SSO is particularly useful when it is already in use for other Mimecast products and is configured for administrators in the Administration Console and end users in the Mimecast Personal Portal.
Prerequisite
Please ensure you have scoped the SSO effectiveness for all the end users who will be using SSO for CyberGraph message reporting. For information on how to configure, see End User Applications—Configuring SSO Using a Third-Party Identity Provider.
To use the SSO method for CyberGraph end-user reporting, the administrator will need to:
- Ensure that your Identity Provider and settings are configured in the Administration Console.
To effectively configure CyberGraph, it's essential to complete this prerequisite for all users. Please note that mixed authentication is not supported, making this step crucial for a seamless experience..
- Configure CyberGraph itself in the Administration Console.
Example Scenarios
Should a customer enable or disable SSO after banners are generated, older banners will retain either the Login-less/Magic Link URL or the SSO URL. Therefore, banners should be used to report whether the user will see a login prompt depending on the previous configuration.
Scenario One: Customer changes from Loginless to Single Sign-On.
-
-
-
- In this case, the older banner will still have the login-less/Magic Link URL, and users can use that to report without error, as it is a unique link.
-
-
Scenario Two: Customer changes from Single Sign-on to Login-less
-
-
-
- In this case, the old banner will still have the SSO link, and the user will be prompted to log in despite having moved to login-less/magic link reporting. It will work if SSO is still configured properly for end users.
-
-
CyberGraph Configuration
- In the Administration Console, navigate to the CyberGraph | Settings area.
- You will find a radio button indicating whether SSO is Enabled or Disabled. Note that the Default setting is Disabled. When disabled, the Login-less approach described above is used.
- To use SSO, select Enabled. SSO configuration is essential for all users to function correctly, as mixed authentication is unsupported.
Comments
Please sign in to leave a comment.