Authentication Profiles - Enforce SAML For End User Applications

Updated

This article explains what to expect when the Enforce SAML Authentication for End User Applications setting is enabled in an Authentication Profile.

 

When to Use This Setting

Use this setting when you want users to use Single Sign-On to access a deployed Mimecast end-user application. Please see the section below for the impact this has on each application.

 

Impact

When Enforce SAML Authentication for End User Applications is enabled on a user's effective Authentication Profile, the authentication method is enforced for all applications that use the Mimecast API to gain access to Mimecast.

Users with the Authentication Profile applied will not be able to use a password-based authentication method to access Mimecast from an end-user application. The behavior observed for each Mimecast application is described below.

Application Description
Mimecast for Outlook Mimecast for Outlook extends the capability to add an automated authentication attempt this allows users to be authenticated with Mimecast using your Identity Provider without any user intervention. For this automation to be attempted, the following conditions must be met:
  • The client computer must be a domain member.
  • The user must be logging in as a domain user.
  • The Outlook profile used must be the same as the logged-in user.
  • The user should not already be authenticated with Mimecast, or the current Authentication Key is expired.
  • The Identity Provider supports Windows Integrated Authentication, for example, AD FS.
Note: There is a 15-second timeout for automated authentication attempts.
When you enable the Enforce SAML Authentication for End User Applications setting, the following behavior is expected:
New users:
  1. If the conditions outlined above are met when Outlook starts, the Mimecast application will automatically try to log in to the login URL defined in the effective Authentication Profile. 
  2. If successful, the user will be granted access to Mimecast without intervention. 
  3. If the conditions are not met or the automated authentication attempt fails, the user must follow the steps below.
    • Open the Mimecast for Outlook Account Options and find that the Single Sign-On option is available.
    • When the user selects this option, the authentication process starts, and the user is redirected to the defined Identity Provider.
    • Once successfully authenticated with the Identity Provider, Mimecast for Outlook verifies the response from the Identity Provider with Mimecast, and the user is granted an authentication token.
    • The user is considered authenticated and can use the application at this stage.
Existing users:
  1. If you enable this setting for users who are already using Mimecast for Outlook, the next time the user's Authentication Token expires, the application will stop working, and the user will not be able to access Mimecast. The time to live for an Authentication Token is defined in the Authentication TTL setting in the Authentication Profile.
  2. To recover from this scenario, the user can simply restart Outlook, and Mimecast for Outlook will detect that Single Sign-On has been enabled.
  3. At this stage, the user will be considered a new user and can follow the process described in the previous section.
Mimecast Mobile New users:
When the user enters their email address on the login screen and selects Next, they will be redirected to the Identity Provider login URL specified in the Mimecast Authentication Profile. Once successfully authenticated with the Identity Provider, the user will be granted access to the Mimecast application.
Existing Users:
If the user has already authenticated with either their cloud or domain password and you want to switch to using Single Sign-On, please use the Revoking Application Authentication Sessions function to log users out of applications.
Mimecast for Mac New users:
  1. When the user enters their email address on the login screen and selects Next, they will be redirected to the Identity Provider login URL specified in the Mimecast Authentication Profile. 
  2. Once successfully authenticated with the Identity Provider, the user will be granted access to the Mimecast application.
Existing Users:
If the user has already authenticated with either their cloud or domain password and you want to switch to using Single Sign-On, use the Revoking Application Authentication Sessions function to log users out of applications.

 

Authentication Tokens

When a user successfully authenticates using SAML Single Sign-On, they are granted a secure authentication token, also known as a secure binding. This creates a security association between the user, the device, the application, and the Mimecast API. The authentication token is used to verify the user in all subsequent requests made by the client to Mimecast.
 

The Authentication token issued by the Mimecast API as a result of a successful SAML authentication is considered secure. This means:

  • The user only has to complete the login process once per device.
  • The user will not be prompted to log in when their password changes.
  • Additionally, the user's credentials are not cached on the device, as they are never required to access Mimecast.
Note: Disabling the user in the Mimecast Administration Console can block a user's access

 

Continuity Considerations

In the scenario where your Identity Provider is unavailable, users with this setting applied who have not already authenticated will not be able to log in and use the application.

However, as a user only has to authenticate once per application, per device, when using SAML Single-Sign-On, as long as the user authenticates while your Identity Provider is available, they will be able to continue using the application from that point onwards, regardless of the availability of:

  • The Identity Provider.
  • Active Directory.
  • Exchange / Microsoft 365.
Note: For the best experience in a continuity scenario, ensure that users are authenticated while your Identity Provider is available.

 

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.