Configuring an Authentication Profile

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.Yo2IBgvWqr on Nov 27, 2017
Version 12Show Document
  • View in full screen mode

An authentication profile allows you to define the methods users in your organization can use to authenticate with our applications. They provide the following benefits:

  • Multiple authentication methods can be made available for users in a single profile.
  • Profiles are applied to groups lowering the administrative overhead of maintaining settings on a per user basis.
  • Permitted IP Range settings are also applied at the group level, allowing different settings for different users.

 

Applying an Authentication Profile

 

An authentication profile is referenced by an Application Setting, which is in turn applied to a group of users. An Application Setting defines which applications end users can access, and the features that can be used within them.

 

If you need to provide different levels of access to applications and / or specific application features, you can configure different application settings. It is also possible to reference the same authentication profile in different application settings. This helps to maintain a consistent, easy to manage authentication experience while allowing the flexibility in defining what applications and features different users can access.

 

Every Mimecast account contains a default authentication profile, referenced by a default application setting. These defaults are applied when a user connects to us, and is not part of a group referenced by a specific application setting. The defaults can be used to apply the same settings to all users in your organization. However, a more secure approach is to define your organization's most restrictive settings in this profile, and create new profiles that can be applied to groups as they are referenced in new application settings.

 

Configuring an Authentication Profile

 

To create / change an authentication profile:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A drop-down menu is displayed.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button. A list of profiles is displayed.
  5. Either click on the:
    • Authentication Profile to be changed.
    • New Authentication Profile button.
  6. Complete the dialog as required:
    Field / OptionDescription
    DescriptionProvide a description of the profile to make it easily identifiable when adding to your application settings.
    Allow Cloud AuthenticationIf selected, cloud passwords are configured on our platform and are independent of a user’s domain password.
    Password Reset OptionsSpecify if end users are allowed to reset their passwords by clicking the "Reset Cloud Password" option. If set to a value other than "Not Allowed", a reset code is sent to their email address or cell phone.
    Domain Authentication Mechanisms

    Specify the authentication provider we'll use to verify a user's credentials.  See the Authentication Options page for further information.

    OptionDescription
    NoneNo authentication provider is used.
    AD FS

    Specifies that you'll use AD FS to authenticate users. If selected, you must complete the following settings:

    Field / OptionDescription
    Metadata URLSpecify the location of the FederationMetadata.xml file on your Active Directory Federation Services (AD FS) server, and click on the "Import" button. An attempt is made to automatically populate the remainder of the fields, using the metadata file. Should this not be possible, you can specify them manually.
    Monitor Metadata URLIf selected, automatic monitoring of IdP federation metadata is enabled. We check this periodically, and automatically update these values.
    AD FS Endpoint URLSpecify the EntityID URL of your AD FS server.
    Identify Provider Certificate (Metadata)Specify the X.509 token signing certificate of your AD FS server.
    Certificate Will Expire OnDisplays the date on which the X.509 token signing certificate of your AD FS server expires.
    Certificate Last CheckedDisplays the date that the X.509 token signing certificate of your AD FS server was last checked.
    Use AD PropertyIf selected, we can use the domain property specified in your Active Directory for the users this application setting applies to. Alternatively, you can specify the Federated Domain manually. Click on the "Test AD FS" button to test the connection.
    LDAP Directory Connector (Active Directory and Domino)Specifies that you'll use LDAP to authenticate users. This option must only be used when your organization uses LDAP Directory Synchronization.
    Exchange Web ServicesSpecifies that you'll use Exchange Web Services to authenticate users. If selected, you must complete the following settings:
    Field / OptionDescription
    CAS ServerSpecify the location of your CAS server.
    Alternate Domain Suffix (Optional)Specify the domain suffix used in the UPN attribute for your users. This setting is only required if the domain suffix used for the UPN attribute is different to a user's primary email address.
    Office 365Specifies that you'll use Office 365 to authenticate users.

    2-Step Authentication

     

    This controls if 2-step authentication is enforced.

    ValueDescription
    None2-step authentication is not used, and the "Authentication TTL" field is displayed. We use time-to-live (TTL) functionality when authenticating users accessing our applications. To prevent users having to authenticate each and every time they log on, specify a time span after which users have to reauthenticate.
    This option is not available when more secure authentication methods are being enforced (e.g. "2Step Authentication" or "Enforce SAML Authentication for End User Applications").
    3rd Party AppThese options control the method used to authenticate users. Whichever option is selected, all users are forced to enter a security code before they can log on to Mimecast applications. Additionally, the "Disable 2-Step Authentication for Trusted IP Ranges" field is displayed, that allows you to specify trusted IP ranges from which users can log on without entering a verification code.
    Email
    SMS

    If you have an Office 365 exchange, you can work with Microsoft to enable 2-Step authentication and generate an app password for users. Visit the Set up 2-step verification and the Create an app password pages on the Microsoft site for more information.

    Enforce SAML Authentication for Administration ConsoleIf selected, administrators must log on to the Administration Console using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities.
    Enforce SAML Authentication for Mimecast Personal PortalIf selected, users must log on to the Mimecast Personal Portal using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities.
    Enforce SAML Authentication for End User ApplicationsIf selected, users must log on to our end user applications using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities.
    Allow Integrated Windows Authentication (Mimecast for Outlook Only)If selected, Mimecast for Outlook uses the currently logged in users’ credentials to authenticate the connection. To use this feature you must:
    • Be using Microsoft Exchange 2007 SP1 or later.
    • Have a publicly available Client Access Server (CAS). A primary and secondary server must be specified in the fields displayed when this option is selected. Specify the complete EWS URL (e.g. https://domain.com/ews/exchange.asmx). Click on the Verify button to test the connection.
    Permitted Application Login IP Ranges

    If selected, you can specify the allowed source IP ranges for end user access to the Mimecast Personal Portals, Mimecast Synchronization Engine, and our end user application. The IP ranges are entered in the "Application Login IP Ranges (CIDR n.n.n.n/x)" field.

    Permitted Gateway IP RangesIf selected, you can specify the allowed source IP ranges for SMTP and POP authentication attempts. The IP ranges are entered in the "Gateway Login IP Ranges (CIDR n.n.n.n/x)" field.
  7. Click on the Save and Exit button.

 

See Also...

 

1 person found this helpful

Attachments

    Outcomes