This article contains information on configuring Azure AD SSO for Mimecast, detailing steps for creating custom applications, setting identifiers, and configuring branded IDP SSO login, with considerations for regional settings and application access limitations.
The Azure Application belongs to a third-party software vendor. When changes are made to the Azure Application and the user interface does not correlate with the below instructions and screenshots, alert us by using the feedback function in this article.
Considerations
- You can build a custom application to access the Mimecast Personal Portal or the Mimecast Administration Console via Azure MyApps (IDP-initiated SSO).
- One app can be created to do SP-initiated SSO for all Mimecast applications and IDP-initiated SSO for either the Personal Portal or Mimecast Administration Console.
- Azure AD (Entra) has a limitation where you cannot use the same identifier in two applications; you will have to choose whether you would like to use the Azure MyApps portal with the Mimecast Administration Console or Personal Portal.
Most organizations choose to configure the Personal Portal in MyApps with SP access for all Mimecast applications.
Conditional Access is not supported on Mimecast Mobile. For more information, see Mimecast Mobile - Known Issue - July 2024.
Creating the Custom Application
- Login to Azure AD.
- Navigate to Enterprise Applications | All Applications | New Application.
- Select Create your own application.
- Give the application a name.
- Select Integrate any other application you don’t find in the gallery.
- Click on Create.
- Select Properties underneath the Manage tab.
- Make sure:
-
- Enabled for users to sign-in? is set to Yes.
- Assignment required is set to No. This will ensure that everyone in your organization can sign into Mimecast.com. It does not control which applications users can see in the MyApps Portal. You will have to assign that group under Users and Groups.
- Visible to users is set to Yes.
-
Optionally, you can add a Logo to the application.
- Click Save.
- Click Single sign-on.
- Click SAML.
- Click on the Edit icon on the Basic SAML Configuration panel.
- You need the following identifiers, to be able to configure this application for Azure MyApps access for the Mimecast Personal Portal. This will also allow SP access for all apps via mimecast.com.
-
- To enter your Identifier (Entity ID) for Personal Portal MyApps access, see the table below, to find the correct Region and replace ACCOUNTCODE with your unique Mimecast Account Code. Ensure that this value is selected as the Default.
The Mimecast Account Code can be found by navigating to Account | Account Settings in the Mimecast Administration Console.
- To enter your Identifier (Entity ID) for Personal Portal MyApps access, see the table below, to find the correct Region and replace ACCOUNTCODE with your unique Mimecast Account Code. Ensure that this value is selected as the Default.
|
Region |
Azure AD Value |
|---|---|
|
Europe (Excluding Germany) |
https://eu-api.mimecast.com/sso/ACCOUNTCODE |
|
Germany |
https://de-api.mimecast.com/sso/ACCOUNTCODE |
|
United States of America |
https://us-api.mimecast.com/sso/ACCOUNTCODE |
|
United States of America (USB) |
https://usb-api.mimecast.com/sso/ACCOUNTCODE |
|
Canada |
https://ca-api.mimecast.com/sso/ACCOUNTCODE |
|
South Africa |
https://za-api.mimecast.com/sso/ACCOUNTCODE |
|
Australia |
https://au-api.mimecast.com/sso/ACCOUNTCODE |
|
Offshore |
https://jer-api.mimecast.com/sso/ACCOUNTCODE |
-
- The Reply URL (Assertion Consumer Service URL) also requires the use of regional URLs; see the table below, for the correct values for your region. Ensure that this value is selected as the Default.
- The rest of the fields in this panel can be left blank.
- Click on Save once done.
Region
Service Provider Initiated
Identity Provider Initiated
Europe (Excluding Germany)
https://eu-api.mimecast.com/login/saml
https://eu-api.mimecast.com/login/sso/mpp
Germany
https://de-api.mimecast.com/login/saml
https://de-api.mimecast.com/login/sso/mpp
United States of America
https://us-api.mimecast.com/login/saml
https://us-api.mimecast.com/login/sso/mpp
United States of America (USB)
https://usb-api.mimecast.com/login/saml
https://usb-api.mimecast.com/login/sso/mpp
Canada
https://ca-api.mimecast.com/login/saml
https://ca-api.mimecast.com/login/sso/mpp
South Africa
https://za-api.mimecast.com/login/saml
https://za-api.mimecast.com/login/sso/mpp
Australia
https://au-api.mimecast.com/login/saml
https://au-api.mimecast.com/login/sso/mpp
Offshore
https://jer-api.mimecast.com/login/saml
https://jer-api.mimecast.com/login/sso/mpp
Configuring Branded IDP SSO login
To configure Branded IDP SSO, the Sign On URL needs to be in the below format:
https://<grid>-api.mimecast.com/login/sso/<application>/<brandedprefix>
<grid> - The Grid/Region the account is hosted on.
<application> - The IDP endpoint you are trying to access. For Example, use MPP for Mimecast Personal Portal
<BrandedURLPrefix> - The URL Prefix from Stationary > Branding in the Administration Console.
For more information, refer to Stationery - Branding.
Use the above URL to add it to the "Reply URL" option below Basic SAML configuration:
In the Identifier (Entity ID) field, enter the value for your region from the table below. The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.
Replace ACCOUNTCODE with your unique Mimecast Account Code. This can be found under Account | Account Settings in the Mimecast Administration Console.
|
Region |
Azure AD Value |
|---|---|
|
Europe (Excluding Germany) |
https://eu-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
Germany |
https://de-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
United States of America |
https://us-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
United States of America (USB) |
https://usb-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
Canada |
https://ca-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
South Africa |
https://za-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
Australia |
https://au-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
|
Offshore |
https://jer-api.mimecast.com/login/sso/mpp/<BrandedURLPrefix> |
Comments
Please sign in to leave a comment.