Authentication - SSO Third Party Provider

This article contains information on configuring SAML authentication and permitted IP ranges in Mimecast, including steps for setting up authentication profiles and applying them to applications for enhanced security.

Configuring Mimecast Settings

Once your Identity Provider is set up to support Mimecast SAML authentication requests and responses, you need to configure a Mimecast Authentication profile. This profile is applied to users who want to use Single Sign-On using the Applications Settings feature.

SAML Settings

1. Log in to the Mimecast Administration Console.
2. Navigate to the Users & Groups | Applications menu.
3. Select the Authentication Profiles button.
4. Either select:

• • • An existing Authentication Profile to update.
    • The New Authentication Profile button.

5. Enter a Description for the new profile.
6. Select the Enforce SAML Authentication for Administration Console option. The screen expands to reveal the SAML Settings:
7. Select your Identity Provider from the Provider drop-down list to see help text specific to that provider. If your provider is not listed, choose Other.
8. If your Identity Provider supports it, enter the Federation Metadata URL of your Identity Provider and select Import to automatically populate all the required settings.

• • • If Mimecast cannot reach this URL or the Identity Provider does not support this function, you can enter the Issuer, Login URL, and Identity Provider Certificate Metadata values manually.
    • When populating the Identity Provider Certificate, you must trim the Begin and End tags from the certificate metadata.

9. Optionally, select the Monitor Metadata URL. This option requires a valid Metadata URL and will check that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.

   Checks are made a maximum of once daily and are initiated when a user logs in. The metadata will not be checked if a user with this Authentication Profile does not log in on a given day.

10.  Optionally, specify the Logout URL. Mimecast only supports basic URL redirect and logout methods.
11. Optionally, define which Authentication Context to use. By default, both password-protected and integrated contexts are used.

    These settings define the AuthnContextClass used in the SAML request provided by Mimecast and sent to your Identity Provider. Mimecast supports the Password Protected Transport and Windows Integrated contexts, a combination of both, or no context.

12. Choose to Allow Single Sign On. This setting enables/disables Identity Provider Initiated Sign On.

Defining Permitted IP Ranges

To add a layer of security, you can define Mimecast's Permitted IP Range settings for the Administration Console, Mimecast's end-user applications, and Gateway authentication attempts.

To configure Permitted IP Ranges for the Administration Console:

1. Log in to the Mimecast Administration Console.
2. Navigate to the Account | Account Settings menu.
3. Open the User Access and Permissions section.
4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for end-user applications:

1. Select the checkbox to enable Permitted Application Login IP Ranges.
2. In the Permitted Application Login, IP Ranges text box, enter the public IP address range you want to restrict access to in CIDR format, one range per line.
3. Select Save and Exit to apply the new settings.

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

1. Select the checkbox to enable Permitted Gateway Login IP Ranges.
2. In the Permitted Gateway Login IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
3. Select Save and Exit to apply the new settings.

Applying the Authentication Profile to an Application Setting

An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may wish to add additional authentication options to your Authentication Profile. See the Authentication Guides article for information on other authentication methods.

Once your Authentication Profile is complete, you need to reference it in an Application Setting for it to be applied. To do this:

1. Log in to the Mimecast Administration Console.
2. Navigate to the Users & Groups | Applications menu
3. Select the Application Setting that you want to use.
4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
5. Select Save and Exit to apply the change.

Next Steps

When using Service Provider Initiated SAML Authentication, your administrators must access the Administration Console using the regional URL. Due to the differences in each Identity Provider's SAML implementation, Mimecast does not support this authentication type when using the https://login.mimecast.com global URL.

To test your configuration and verify that your Authentication Profile has been configured correctly:

1. Open a web browser and navigate the Mimecast Administration Console v4 login page.
2. Enter your primary email address.
3. You should be redirected to your Identity Provider Login URL in the Authentication Profile.
4. If required, log on to your Identity Provider.
5. You should then be redirected to Mimecast Administration Console and granted access.

To test Identity Provider Initiated Sign On:

1. Navigate to your Identity Provider Login Page and log on.
2. From the published applications page, select the Mimecast Administration Console v4 application you have created.
3. You should be redirected to the Mimecast Administration Console and granted access.