Authentication - SAML - Configuring SSO Using Third Party IP

Updated

This guide explains how to configure Single Sign-On for the Mimecast Administration Console using a 3rd party Identity Provider.

Once your Identity Provider is configured, Mimecast SAML Authentication settings are applied to a group of users using an Authentication Profile. SAML Authentication is an enforced method for all users, subject to the settings defined in the Authentication Profile for the relevant application. When you first enable SAML Authentication, particularly for the Administration Console, consider applying it to a test user before enabling it for all Administrators. This prevents you from locking yourself out of the Mimecast Administration Console in the case of a configuration issue.

Working With Your Identity Provider

Before you can configure Single Sign-On settings, you must work with your Identity Provider to add support for Mimecast. Some providers (e.g., OneLogin, Okta, or Centrify) may have Mimecast apps in their application catalogs. However, Mimecast is not able to provide support for these as their implementation is out of Mimecast's control. Consult directly with your Identity Provider if you need any assistance.

Providing Information to Your Identity Provider

The following information may be useful for your Identity Provider:

Field / Option Description
SAML Version Mimecast only supports SAML 2.0. Your Identity Provider must also support this.
Service Provider Initiated Request: Binding Type Service Provider Initiated SAML requests from Mimecast use a POST binding.
Service Provider Initiated Request: Issuer

While your 3rd party service provider may suggest adding https:// before the value, Mimecast requires this to be left off. Ensure you enter the appropriate value for your as displayed below.

The <saml:Issuer> value in a Service Provider Initiated SAML request from Mimecast will be different depending on the Mimecast grid where your organization's Mimecast account is hosted. Below are the expected values for each grid:
  • Europe (Excluding Germany): eu-api.mimecast.com.ACCOUNTCODE
  • Germany: de-api.mimecast.com.ACCOUNTCODE
  • United States of America: us-api.mimecast.com.ACCOUNTCODE
  • United States of America (USB): usb-api.mimecast.com.ACCOUNTCODE
  • Canada: ca-api.mimecast.com.ACCOUNTCODE
  • South Africa: za-api.mimecast.com.ACCOUNTCODE
  • Australia: au-api.mimecast.com.ACCOUNTCODE
  • Offshore: jer-api.mimecast.com.ACCOUNTCODE
  • USPCOM: uspcom-api.mimecast-pscom-us.com.ACCOUNTCODE
Where ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Mimecast Administration Console.

Due to a limitation with ADFS, if you've configured Relying Party Trusts for the Mimecast Personal Portal v3 or our end-user applications, ensure the entered value is unique. In most cases, you can accomplish this by having the ACCOUNTCODE portion all uppercase on one and lowercase on another.
Service Provider Initiated Request: AssertionConsumerUrl The AssertionConsumerServiceURL value in a Service Provider Initiated SAML request from Mimecast will be different depending on the Mimecast grid where your organization's Mimecast account is hosted. Below are the expected values for each grid:
  • Europe (Excluding Germany): https://eu-api.mimecast.com/login/saml
  • Germany: https://de-api.mimecast.com/login/saml
  • United States of America: https://us-api.mimecast.com/login/saml
  • United States of America (USB): https://usb-api.mimecast.com/login/saml
  • Canada: https://ca-api.mimecast.com/login/saml
  • South Africa: https://za-api.mimecast.com/login/saml
  • Australia: https://au-api.mimecast.com/login/saml
  • Offshore: https://jer-api.mimecast.com/login/saml
  • USPCOM: https://uspcom-api.mimecast-pscom-us.com/login/saml
Service Provider Initiated Request: RequestedAuthnContext Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration, these values can be empty or: 
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         Comparison="exact"
                         >
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

It is also possible for the request to only include one .
SAML Response: Destination Mimecast maintains different URL's for Service Provider Initiated and Identity Provider Initiated SAML authentication.
  • Service Provider Initiated: The Destination URL's for Service Provider Initiated SAML authentication attempts will be different depending on the Mimecast grid where your organization's Mimecast account is hosted. Below are the expected values for each grid:
    • Europe (Excluding Germany): https://eu-api.mimecast.com/login/saml
    • Germany: https://de-api.mimecast.com/login/saml
    • United States of America: https://us-api.mimecast.com/login/saml
    • United States of America (USB): https://usb-api.mimecast.com/login/saml
    • Canada: https://ca-api.mimecast.com/login/saml
    • South Africa: https://za-api.mimecast.com/login/saml
    • Australia: https://au-api.mimecast.com/login/saml
    • Offshore: https://jer-api.mimecast.com/login/saml
    • USPCOM: https://uspcom-api.mimecast-pscom-us.com/login/saml
  • Identity Provider Initiated: The Destination URL's for Identity Provider Initiated SAML authentication attempts will also be different depending on the Mimecast grid where your organization's Mimecast account is hosted. Below are the expected values for each grid:
    • Europe (Excluding Germany): https://eu-api.mimecast.com/login/sso/adcon
    • Germany: https://de-api.mimecast.com/login/sso/adcon
    • United States of America: https://us-api.mimecast.com/login/sso/adcon
    • United States of America (USB): https://usb-api.mimecast.com/login/sso/adcon
    • Canada: https://ca-api.mimecast.com/login/sso/adcon
    • South Africa: https://za-api.mimecast.com/login/sso/adcon
    • Australia: https://au-api.mimecast.com/login/sso/adcon
    • Offshore: https://jer-api.mimecast.com/login/sso/adcon
    • USPCOM: https://uspcom-api.mimecast-pscom-us.com/login/sso/adcon
SAML Response: Issuer The issuer element must be present and contain the value provided by your Identity Provider. This value is also set in the Mimecast configuration in a later step and the value found in the SAML response must match the value stored in your Mimecast settings.
SAML Response: Audience The SAML response must contain an AudienceRestriction element with a child element called Audience. The value of this element must be set based on the region where your Mimecast account is hosted. Please see the table below for the expected values for each grid:
  • Europe (Excluding Germany): eu-api.mimecast.com.ACCOUNTCODE
  • Germany: de-api.mimecast.com.ACCOUNTCODE
  • United States of America: us-api.mimecast.com.ACCOUNTCODE
  • United States of America (USB): usb-api.mimecast.com.ACCOUNTCODE
  • Canada: ca-api.mimecast.com.ACCOUNTCODE
  • South Africa: za-api.mimecast.com.ACCOUNTCODE
  • Australia: au-api.mimecast.com.ACCOUNTCODE
  • Offshore: jer-api.mimecast.com.ACCOUNTCODE
  • USPCOM: uspcom-api.mimecast-pscom-us.com.ACCOUNTCODE
Where ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Mimecast Administration Console.

Due to a limitation with ADFS, if you've configured Relying Party Trusts for the Mimecast Personal Portal v3 or our end user applications, ensure the entered value is unique. In most cases, you can accomplish this by having the ACCOUNTCODE portion all uppercase on one and lowercase on another.
SAML Response: NameID The SAML response must contain the NameID element as a child of the Subject element. The value of this element must be the requesting user's primary email address.
SAML Response: NotBefore / NotAfter The SAML response must contain the NotBefore and NotAfter attributes in a Conditions element. The values of these attributes must be within a 1-minute margin of error of the current time; otherwise, the request will be rejected for security reasons.
SAML Response: Token Signing Certificate The SAML response must contain the metadata of your Identity Provider's certificate. This value is also set in the Mimecast configuration in a later step and the value found in the SAML response must match the value stored in your Mimecast settings.

Example Service Provider (Mimecast) Initiated Request

Where ACCOUNTCODE is your unique Mimecast account code as specified in the Account | Account Settings page of the Mimecast Administration Console.

Example SAML Response

Collecting Information From Your Identity Provider

Before configuring any Mimecast settings, you must gather the following information from your Identity Provider:

Field / Option Description
SAML Version Mimecast only supports SAML 2.0. Your Identity Provider must also support this.
Federation Metadata URL Mimecast can import the SAML Issuer, Login URL and Token Signing Certificate from a URL if your Identity Provider publishes this information in the standard XML format.
SAML Issuer A unique URL that identifies your Identity Provider. SAML responses sent to Mimecast must match this value exactly in the <saml:Issuer> attribute of the SAML response.
Login URL The URL that Mimecast should redirect the user to in order to start the authentication attempt.
Logout URL The URL that Mimecast should redirect the user to when they log out. Mimecast only supports basic redirects here.
Supported Authentication Contexts

How users will authenticate against the Identity Provider and what Authentication classes the Identity Provider supports.
Mimecast supports the RequestedAuthnContext features in a Service Provider Initiated SAML request. Depending on your Mimecast configuration, these values can be empty or:

<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         Comparison="exact"
                         >
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:
                         ac:classes:PasswordProtectedTransport
    </saml:AuthnContextClassRef>
    <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
                         </saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

It is also possible for the request to only include one .
Token Signing Certificate Metadata The Metadata of the certificate issued by your Identity Provider.

Configuring Mimecast for SSO Using a 3rd Party Identity Provider

You'll also need to configure Mimecast to communicate with your 3rd party identify provider. See the Authentication - SSO 3rd party provider page for full details.

Related to

Was this article helpful?
0 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.