This article contains information on integrating third-party identity providers with Mimecast for Single Sign-On (SSO) using SAML 2.0, supporting various applications and authentication workflows.
If your organization uses a third-party identity provider for authentication, you can integrate this with Mimecast. This provides a Single Sign On (SSO) experience for users to access the Mimecast Personal Portal, Mimecast Partner Portal, Administration Console, or any Mimecast end-user application.
Mimecast uses industry-standard Security Assertion Markup Language (SAML) 2.0 for SSO integration.
Identity Provider SSO provides the following benefits:
-
-
- A Single Sign-On experience for users to access the Mimecast Personal Portal, Mimecast Partner Portal, Mimecast Administration Console, or any Mimecast end-user application.
- Offsets authentication-focused security policies to a central location.
- A multi-factor authentication capability, if your third-party Identity Provider supports this.
- Allows flexibility by being enabled via Authentication Profiles, thereby controlling which users use the authentication method.
-
Supported Applications
The supported applications are:
| Application | Service Provider (SP) Initiated SAML SSO | Identify Provider (Idp) Initiated SAML SSO |
|---|---|---|
| Mimecast Personal Portal | Yes | Yes |
| Mimecast Partner Portal | Yes | No |
| Administration Console | Yes | Yes |
| Mimecast for Outlook 7.0 and later | Yes | No |
| Mimecast Mobile 3.1 and later | Yes | No |
| Mimecast for Mac 2.4 and later | Yes | No |
Authentication Workflows
Two SSO authentication workflows are supported:
-
-
- Service Provider (SP) Initiated SAML SSO.
- Identity Provider (IdP) Initiated SAML SSO.
-
Service Provider (SP) Initiated SAML Single Sign-On
When using service provider-initiated SAML authentication, your users must access the Mimecast Personal Portal and Mimecast Administration Console, using the application's regional URL. Due to the differences between each identity provider's implementation of SAML, Mimecast doesn't support this authentication type when using the global URLs. See the Data Centers & URLs page for full details.
- A user accesses the Mimecast Personal Portal or the Mimecast Administration Console, and enters their primary email address.
- Mimecast discovers the correct Authentication Profile for the user.
- When SAML Authentication is enforced in the user's effective Authentication Profile, Mimecast generates a SAML 2.0 AuthnRequest and redirects the user's browser to the *Identity Provider's login URL.
- If the user is not already authenticated with the *Identity Provider the user is prompted to authenticate. Alternatively, if the user is already authenticated with the *Identity Provider they will not need to authenticate again.
- Once the user is authenticated, a SAML response is generated by the *Identity Provider and posted back to the Mimecast application via the user's browser.
- Mimecast verifies the SAML response.
- The authentication process completes, and the user is granted access to the Mimecast application.
Identity Provider (IdP) Initiated SAML Single Sign-On (SSO)
- A user browses to the *Identity Provider's login page.
- The *Identity Provider authenticates the user.
- The user selects the Mimecast application to access from the *Identity Provider's application catalog page, and the *Identity Provider generates a SAML assertion, which is sent to the selected Mimecast application via the user's browser.
- Mimecast accepts the request, establishes the identity of the user from the NameID element of the SAML assertion, discovers the user's effective Authentication Profile, and verifies the request.
- The authentication process completes, and the user is granted access to the Mimecast application.
Configuring Single Sign-On for Google Workspace
If you require SSO authentication for your Mimecast account on a Google Workspace platform, follow Google's Mimecast cloud application guide.
Comments
How about an actual guide on how to implement it??
Hi, Daniel. Thank you for your feedback. Kindly follow this link for more information on Account Setup https://mimecastsupport.zendesk.com/hc/en-us/articles/34000660528531-Email-Security-Setup-Wizard-Account-Setup
Would it be possible to get some documentation on the partner portal SSO configuration please? Your link is unrelated to SSO and the only SSO documentation that seems to be on here is for the personal portal etc, not the partner portal.
Cheers
Hi Daniel,
We appreciate your ongoing engagement with our KB Hub. Currently, the most relevant article to assist you in configuring Partner Portal SSO can be found here: https://mimecastsupport.zendesk.com/hc/en-us/articles/34000554061075-End-User-Applications-Configuring-SSO-Using-a-Third-Party-Identity-Provider#h_01J9P8M43P5QVGXKH3677XV2V6.
Additionally, I encourage you to share your inquiry in our Community. This platform not only allows your question to be addressed by cybersecurity peers but also by the Mimecast team. Once you receive a solution, you can bookmark it for easy access in the future.
If your issue is more urgent or if you prefer to open a new support case, please do so here.
Please sign in to leave a comment.