Authentication Profiles - Configuring SSO Using ADFS

Updated

This article contains information on configuring a Relying Party Trust in ADFS, detailing steps like specifying display names, configuring certificates, and using the Add Relying Party Trust Wizard for setup. The following ADFS versions are supported:

Version Host Operating System
4.0 Windows Server 2016, Windows Server 2019, and Windows Server 2022.
3.0 Windows Server 2012 R2.
2.1
2.0
 Windows Server 2012.
2.0
1.0
 Windows Server 2008 R2.

Configuring ADFS

Creating a Relying Party Trust

To create a relying party trust:

  1. Open the AD FS Management Console on your AD FS server.
  2. Expand the Trust Relationships node.
  3. Select Relying Party Trusts.
  4. Select Add Relying Party Trust from the Actions pane on the right side of the ADFS management console. The Select Data Source dialog is displayed.
  5. Select the Enter Data About the Relying Party Manually option.
  6. Click on the Next button.
  7. Enter a Display Name (e.g., "Mimecast Administration Console").
  8. Click on the Next button.
  9. Leave the default ADFS Profile selected.
  10. Click on the Next button.
  11. Leave the Configure a Certificate dialog unchanged and click the Next button.
  12. Leave the Configure URL dialog unchanged and click the Next button.
  13. Enter a Relying Party Trust Identifier using the value from the table below for the region where your Mimecast account is hosted.
    • Substitute the ACCOUNTCODE value for your unique Mimecast account code as specified in the Account | Account Settings page of the Administration Console.
    • AD FS suggests adding "https://" before the Relying Party Trust Identifier value; Mimecast requires this to be left off.
Region Value
Europe (Excluding Germany) eu-api.mimecast.com.ACCOUNTCODE
Germany de-api.mimecast.com.ACCOUNTCODE
United States of America us-api.mimecast.com.ACCOUNTCODE
United States of America (USB) usb-api.mimecast.com.ACCOUNTCODE
Canada ca-api.mimecast.com.ACCOUNTCODE
South Africa za-api.mimecast.com.ACCOUNTCODE
Australia au-api.mimecast.com.ACCOUNTCODE
Offshore jer-api.mimecast.com.ACCOUNTCODE
USPCOM uspcom-api.mimecast-pscom-us.com.ACCOUNTCODE

We recommend creating three relying party trusts, each with a different trusted URL endpoint. For example, it may prove beneficial to include https://www.mimecast.com/saml.

  1. Permit all users to access the relying party trust.
  2. Click on the Next button.
  3. Complete the wizard by clicking on the Next and Finish buttons.
  4. Right-click on the new Created Trust.
  5. Select the Properties menu item.
  6. Click on the Endpoints tab.
  7. Click on the Add button.
  8. Configure the settings to support Identity Provider Initiated Authentication and to allow users to access the Mimecast Administration Console from your AD FS portal:
    • Select SAML Assertion Consumer as the endpoint type.
    • Select POST as the binding.
    • Select the Set the Trusted URL as Default option.
    • Leave the index set to 0.
    • Enter a Trusted URL using the value from the table below for the region where your Mimecast account is hosted:
Region Trusted URL
Europe (Excluding Germany) https://eu-api.mimecast.com/login/sso/adcon
Germany https://de-api.mimecast.com/login/sso/adcon
United States of America https://us-api.mimecast.com/login/sso/adcon
United States of America (USB) https://usb-api.mimecast.com/login/sso/adcon
Canada https://ca-api.mimecast.com/login/sso/adcon
South Africa https://za-api.mimecast.com/login/sso/adcon
Australia https://au-api.mimecast.com/login/sso/adcon
Offshore https://jer-api.mimecast.com/login/sso/adcon
USPCOM https://uspcom-api.mimecast-pscom-us.com/login/sso/adcon
  1. Complete the Add an Endpoint dialog to support Service Provider Initiated Authentication and to allow users to access the Mimecast Administration Console by entering their email address into the console's login page: 
    • Select SAML Assertion Consumer as the endpoint type.
    • Select POST as the binding.
    • Ensure the Set the Trusted URL as Default option is not selected.
    • Set the index to 1.
    • Enter the Trusted URL using the value from the table below for the region where your Mimecast account is hosted:
Region Trusted URL
Europe (Excluding Germany) https://eu-api.mimecast.com/login/saml
Germany https://de-api.mimecast.com/login/saml
United States of America https://us-api.mimecast.com/login/saml
United States of America (USB) https://usb-api.mimecast.com/login/saml
Canada https://ca-api.mimecast.com/login/saml
South Africa https://za-api.mimecast.com/login/saml
Australia https://au-api.mimecast.com/login/saml
Offshore https://jer-api.mimecast.com/login/saml
USPCOM https://uspcom-api.mimecast-pscom-us.com/login/saml
    • Click on the OK button.
  1. Click on the OK button to complete the configuration.

Edit Claims Rules

To edit the claim rules:

  1. Navigate to the Trust Relationships | Relying Party Trusts node.
  2. Select the Relying Party Trust created above.
  3. Select Edit Claims Rules from the Actions pane.
  4. Select the Add Rule button on the Issuance Transform Rules tab.
  5. Ensure the Send LDAP Attributes as Claims option is selected.
  6. Click on the Next button.
  7. Enter a name for the Claim Rule (e.g., Email Address as Name ID).
  8. Select Active Directory as your Attribute store.
  9. Add the following rule as displayed below:
      • LDAP Attribute: Email Addresses.
      • Outgoing Claim Type: Name ID.

  1. Click on the Finish button. 

Configuring Mimecast Settings

Configuring an Authentication Profile

Once your AD FS server is configured to support the integration, you must configure an Authentication Profile using the settings below.

Field / Option Description
Description Describe the integration to enable you to quickly identify it (e.g., ADFS Single Sign On).
Enforce SAML Authentication for Administration Console Select this option. Once selected, the SAML Settings are displayed.
Provider Select ADFS from the drop-down list.
Metadata URL Enter the Federation Metadata URL of your ADFS environment. This will always be "http://<server>/FederationMetadata/2007-06/FederationMetadata.xml" (where <server> is the FQDN of your ADFS server).

These automatically completed fields can be entered manually if we cannot reach the URL. When Trim Begin and End Tags from the certificate metadata when populating the Identity Provider Certificate (Metadata) field.
Monitor Metadata URL If selected, this option requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. This is designed to prevent unexpected issues when these settings change in ADFS.

Checks are made a maximum of once daily and are initiated when a user logs on. The metadata is not checked if a user with this Authentication Profile doesn't do so.
Logout URL Do not select this option. We only support basic URL redirect logout methods. ADFS requires a more advanced method that is not currently supported. 
Use Passport Protected Contexts Optionally, define which authentication context to use. By default, both password-protected and integrated contexts are selected. These settings define the AuthNContextClass used in the SAML request provided by Mimecast and sent to your ADFS login URL. In addition, we support the Password Protected Transport and Windows Integrated Contexts or a Combination.
Use Integrated Authentication Context
Allow Single Sign On Select this option to enable single sign-on.

Defining Permitted IP Ranges

We provide optional Permitted IP Range settings for the administration console, end-user applications, and gateway authentication attempts for additional added security.

To configure Permitted IP Ranges for the Administration Console:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to the Account | Account Settings menu item.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for End User Applications:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Users & Groups| Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Permitted Application Login IP Ranges option.
  5. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  6. Click on the Save and Exit button.

To configure Permitted IP Ranges for Gateway Authentication using SMTP or POP:

  1. Log on to the Mimecast Administration Console.
  2. Click on the Users & Groups | Applications menu item.
  3. Click on the Authentication Profiles button.
  4. Click on the Permitted Gateway Login IP Ranges option.
  5. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  6. Click on the Save and Exit button.

Applying the Authentication Profile to an Application Setting

An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently, you may want to add authentication options to your Authentication Profile. See the Authentication Options article for information on other authentication methods.

Once your Authentication Profile is complete, you need to reference it in an Application Setting to apply it. To do this:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to the Users & Groups | Applications menu item.
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference, and click the Select link on the lookup page.
  1. Select Save and Exit to apply the change.

Next Steps

Administrators must access the Administration Console using the regional URL when using Service Provider Initiated SAML Authentication. Due to each Identity Provider's SAML implementation, Mimecast does not support this authentication type using the "https://login.mimecast.com" global URL.

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open a web browser and navigate to the Mimecast Administration Console login page.
  2. Enter your primary email address.
  3. You should be redirected to your ADFS login URL specified in the Authentication Profile.
  4. If required, log in to your ADFS environment.
  5. You should then be redirected to the Mimecast Administration Console and granted access.

To test Identity Provider Initiated Sign On:

  1. Open your ADFS logon page and log in.
  2. From the published applications page, select the Mimecast Administration Console application you have created.
  3. You should be redirected to the Mimecast Administration Console and granted access.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.