Authentication Profiles - Configuring Authentication Profiles

Updated

This article contains information on configuring and managing Authentication Profiles in Mimecast, including supported methods like AD FS, SAML SSO, and Two-step authentication, to control user access and enhance security across applications.

An Authentication Profile allows you to define the methods users in your organization can use to authenticate with our applications. In addition, they provide the following benefits:

  • Multiple authentication methods can be enabled for users within a single profile.
  • Profiles are applied to Groups, reducing per-user admin settings overhead.
  • Permitted IP Ranges are also applied at the group level, allowing different user settings.
  • Microsoft no longer supports Exchange 2007, meaning Mimecast no longer supports it. See Microsoft's Exchange 2007 End of Support Roadmap page.
  • Microsoft 365 no longer supports Basic Authentication login and in order to log in Azure SAML (SSO)  must be used to authenticate.

About Authentication Profiles

Authentication Profiles control access to applications and features for users or groups, in conjunction with Application Settings.
To control access levels, you can create multiple Application Settings, and use the same Authentication Profile in multiple Application Settings.
Every Mimecast customer has a Default Authentication Profile that applies to all users. It is recommended that you define your organization's most restrictive settings in this profile and create additional Authentication Profiles and Application Settings as needed.

Configuring an Authentication Profile

You can create or amend an Authentication Profile by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on the Authentication Profiles button.
  4. Either click on the:
  • Authentication Profile to be changed.
  • New Authentication Profile button.
  1. Complete the dialog as required:
Field / Option Description
Description Describe the profile to make it easily identifiable when adding to your application settings.
Allow Cloud Authentication Select whether cloud passwords independent of a user's domain password are allowed or allowed ONLY during continuity mode.
Password Reset Options Specify if end users can reset their passwords by clicking the Reset Cloud Password option. If set to a value other than Not Allowed, a reset code is sent to their email address or cell phone.
Domain Authentication Mechanisms Specify the authentication provider we'll use to verify a user's credentials.

• None: No authentication provider is used.
• ADFS: Specifies that you'll use ADFS to authenticate users. If selected, you must complete the following settings:

Field / Option Description
Metadata URL Specify the location of the FederationMetadata.xml file on your Active Directory Federation Services (ADFS) server, and click on the Import button. An attempt is made to automatically populate the remainder of the fields using the metadata file. Should this not be possible, specify them manually.
Monitor Metadata URL If selected, automatic monitoring of IdP federation metadata is enabled. We check this periodically and automatically update these values.
AD FS Endpoint URL Specify the EntityID URL of your ADFS server.
Identify Provider Certificate (Metadata) Specify the X.509 token signing certificate of your ADFS server.
Certificate Will Expire On Displays the date on which the X.509 token signing certificate of your ADFS server expires.
Certificate Last Checked Displays the date your ADFS server's X.509 token signing certificate was last checked.
Use AD Property If selected, we can use the Domain property specified in your Active Directory for the users to this Application Setting. Alternatively, you can specify the Federated Domain manually. Click on the Test ADFS button to test the connection.

• LDAP Directory Connector (Active Directory and Domino): Specifies that you'll use LDAP to authenticate users. This option must only be used when your organization uses LDAP Directory Synchronization.

• Exchange Web Services: Specifies that you'll use Exchange Web Services to authenticate users. If selected, you must complete the following settings:

Field / Option Description
CAS Server Specify the location of your CAS server.
Alternate Domain Suffix (Optional) Specify the domain suffix used in the UPN attribute for your users. This setting is only required if the UPN attribute's domain suffix differs from a user's primary email address.

• Microsoft 365 deprecated: Specifies that you'll use Microsoft 365 to authenticate users with Azure SAML (SSO) login.

When Multi-Factor Authentication (MFA) is enabled for accounts in Microsoft 365 or Azure AD, domain authentication will fail. 
It is advised that Azure SAML (SSO) be used as an alternative authentication method if MFA is enabled, refer to Azure Standard SSO Configuration to and Configure SSO Logins Using Azure Premium.

Two-Step Authentication This controls if Two-step Authentication is enforced:

• None: Two-step Authentication is not used, and the Authentication TTL field is displayed. We use time-to-live (TTL) functionality when authenticating users accessing our applications. To prevent users from having to authenticate every time they log on, specify a period after which users must re-authenticate.

This option is not available when more secure authentication methods are being enforced (e.g. 2-step Authentication or Enforce SAML Authentication for End User Applications).
Mimecast for Outlook v7.10 requires a secure two-step Authentication method to be selected. Therefore, the method None cannot be selected.

• 3rd Party App / Email / SMS: These options control the method used to authenticate users. Whichever option is selected, all users are forced to enter a security code before they can log on to Mimecast applications. Additionally, the Disable 2-Step Authentication for Trusted IP Ranges field is displayed, which allows you to specify Trusted IP Ranges from which users can log on without entering a verification code.

Disable 2-step Authentication for Trusted IP Ranges is no longer supported in Mimecast for Outlook v7.10 onwards, refer to Configuring Two Step Authentication Profiles.

Enforce SAML Authentication for Administration Console If selected, administrators must log on to the Mimecast Administration Console using an Identity Provider (IdP) that offers two-factor Authentication (2FA) and/or Single Sign-On (SSO) capabilities.
Enforce SAML Authentication for the Mimecast Personal Portal If selected, users must log on to the Mimecast Personal Portal using an Identity Provider (IdP) that offers 2-factor Authentication (2FA) and/or Single Sign-On (SSO) capabilities.
Enforce SAML Authentication for End User Applications If selected, users must log on to our End-user Applications using an Identity Provider (IdP) that offers two-factor Authentication (2FA) and/or Single Sign-On (SSO) capabilities.
Allow Integrated Windows Authentication (Mimecast for Outlook Only) If selected, Mimecast for Outlook uses the users' credentials currently logged in to authenticate the connection. To use this feature, you must:

Be using Microsoft Exchange 2013 or later.
Have a publicly available Client Access Server (CAS). A primary and secondary server must be specified in the fields displayed when this option is selected. Specify the complete EWS URL (e.g. https://domain.com/ews/exchange.asmx). Click on the Verify button to test the connection.

Enable JSON Web Token Authentication (Mimecast Essentials for Outlook only)

Mimecast Essentials for Outlook can associate users’ credentials with Exchange Identity Tokens for subsequent authentication to Mimecast. To enable this feature, you must be using Exchange 2013 or later.

This setting is also used to enable the use of Nested Application Authentication when an integration to support this is configured

Permitted Application Login IP Ranges If selected, you can specify the allowed source IP Ranges for end-user access to the Mimecast Personal Portals, Mimecast Synchronization Engine, and our End-user Application. The IP Ranges are entered in the Application Login IP Ranges (CIDR n.n.n.n/x) field.
Permitted Gateway IP Ranges You can specify the allowed source IP Ranges for SMTP and POP authentication attempts if selected. The IP Ranges are entered in the Gateway Login IP Ranges (CIDR n.n.n.n/x) field.
  1. Click on Save and Exit..

See Also... 

Related to

Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.