Authentication Profiles - Azure Standard SSO Configuration

Single Sign On through Azure AD (Entra) allows your organization to integrate authentication to Mimecast with Azure. This fully supports all Microsoft authentication functions, such as Multi-Factor Authentication and Integrated Authentication, Azure AD Seamless SSO, and Conditional Access. In addition, you can also configure Azure SSO to work with the Mimecast Personal Portal.

Considerations

1. Mimecast Single Sign-On through Office Azure uses the mail attribute as the primary SMTP address in Azure AD to identify users. This will accommodate your users with a different User Principal Name (UPN).
2. The end-user experience when accessing Mimecast Services:

• • End users can access Mimecast Services using the Mimecast website or by bookmarking in their browser via a Service Provider (SP) Initiated Login.
  • End users can access Mimecast Services via the Azure MyApps Portal and Identity Provider (IDP) Logins.

3. The end-user's Email address must be entered under their Contact Information in Azure for SAML to work correctly.

4. Do you have Azure Premium?

• • Azure Premium will enable you to build custom Enterprise Apps with more control if you restrict access to a specific Mimecast Service. (This can also be controlled within the Mimecast Administration Console).
  • Azure Premium enables you to build Applications in the Azure MyApps Portal (Identity Provider Logins). See How to Configure SSO SP/IDP-Initiated logins using Azure Premium when using Azure Premium.

By default, it is listed as Mimecast.

Configuring SSO SP-Initiated Logins using Azure Standard

You can configure SSO SP-initiated logins using Azure Standard by using the following steps:

1. Log in to your Azure Administrator Portal.
2. Navigate to Azure Active Directory | Enterprise Applications | New Application.
3. Search for Mimecast in the Search application textbox.
4. Select the Mimecast Application.

   Please do not use any other Applications, as they will not work with Mimecast.

5. On the pop-up Panel, give the SSO Application a Name.

5. Click on Create.
6. Select Properties from the Manage section. Make sure:

• • Enabled for users to sign in is set to Yes.
  • The user assignment required is set to No.
  • Visible to users is set to No.

7. Click on Save.
8. Select Single Sign-On from the Manage section.
9. Select SAML as the Single Sign-On method.
10. Click the Edit icon  in the top corner of the Basic SAML Configuration Box.
11. Delete all the values in the Identifier (Entity ID) field by clicking the trashcan icon  next to each URL.
12. In the Identifier (Entity ID) field, enter the value for your region from the table below.

13. Insert the link for your region from the chart below into the Reply URL (Assertion Consumer Service URL) and Sign-on URL boxes.

14. Click on Save in the top left corner of the Panel.
15. Click Close to close the Panel and return to the main menu.
16. Click on Edit in the User Attributes & Claims panel.
17. Click on the Value user.userprincipalname.
18. Select user.mail as the Source Attribute in the Manage claim panel.
19. In the choose name identifier format drop-down, select Email address if it has not been selected already.
20. Click on Save at the top of the Panel and close it.
21. Copy the App Federation Metadata URL from the SAML Signing Certificate panel.
22. Log in to the Mimecast Administration Console.
23. Navigate to Users & Groups | Applications | Authentication Profiles.
24. Click the Authentication Profile to which you want to add SSO or create a New Authentication Profile.
25. Choose the Mimecast Application you want to use SSO and check the Enforce SAML Authentication Box for that app.
26. The steps below will be the same for all the applications. Repeat for any other application you would like to use SSO on.

27. Click on Save and Exit.

See Also...

• Configure SSO Logins Using Azure Premium