An authentication profile allows you to define the methods users in your organization can use to authenticate with our applications. They provide the following benefits:
- Multiple authentication methods can be made available for users in a single profile.
- Profiles are applied to groups lowering the administrative overhead of maintaining settings on a per user basis.
- Permitted IP Range settings are also applied at the group level, allowing different settings for different users.
Applying an Authentication Profile
An authentication profile is referenced by an Application Setting, which is in turn applied to a group of users. An Application Setting defines which applications end users can access, and the features that can be used within them.
If you need to provide different levels of access to applications and / or specific application features, you can configure different application settings. It is also possible to reference the same authentication profile in different application settings. This helps to maintain a consistent, easy to manage authentication experience while allowing the flexibility in defining what applications and features different users can access.
Every Mimecast account contains a default authentication profile, referenced by a default application setting. These defaults are applied when a user connects to us, and is not part of a group referenced by a specific application setting. The defaults can be used to apply the same settings to all users in your organization. However, a more secure approach is to define your organization's most restrictive settings in this profile, and create new profiles that can be applied to groups as they are referenced in new application settings.
Configuring an Authentication Profile
To create / change an authentication profile:
- Log on to the Administration Console.
- Click on the Administration toolbar button. A drop-down menu is displayed.
- Click on the Services | Applications menu item.
- Click on the Authentication Profiles button. A list of profiles is displayed.
- Either click on the:
- Authentication Profile to be changed.
- New Authentication Profile button.
- Complete the dialog as required:
Field / Option Description Description Provide a description of the profile to make it easily identifiable when adding to your application settings. Allow Cloud Authentication If selected, cloud passwords are configured on our platform and are independent of a user’s domain password. Password Reset Options Specify if end users are allowed to reset their passwords by clicking the "Reset Cloud Password" option. If set to a value other than "Not Allowed", a reset code is sent to their email address or cell phone. Domain Authentication Mechanisms
Specify the authentication provider we'll use to verify a user's credentials. See the Authentication Options page for further information.
Option Description None No authentication provider is used. AD FS
Specifies that you'll use AD FS to authenticate users. If selected, you must complete the following settings:
Field / Option Description Metadata URL Specify the location of the FederationMetadata.xml file on your Active Directory Federation Services (AD FS) server, and click on the "Import" button. An attempt is made to automatically populate the remainder of the fields, using the metadata file. Should this not be possible, you can specify them manually. Monitor Metadata URL If selected, automatic monitoring of IdP federation metadata is enabled. We check this periodically, and automatically update these values. AD FS Endpoint URL Specify the EntityID URL of your AD FS server. Identify Provider Certificate (Metadata) Specify the X.509 token signing certificate of your AD FS server. Certificate Will Expire On Displays the date on which the X.509 token signing certificate of your AD FS server expires. Certificate Last Checked Displays the date that the X.509 token signing certificate of your AD FS server was last checked. Use AD Property If selected, we can use the domain property specified in your Active Directory for the users this application setting applies to. Alternatively, you can specify the Federated Domain manually. Click on the "Test AD FS" button to test the connection. LDAP Directory Connector (Active Directory and Domino) Specifies that you'll use LDAP to authenticate users. This option must only be used when your organization uses LDAP Directory Synchronization. Exchange Web Services Specifies that you'll use Exchange Web Services to authenticate users. If selected, you must complete the following settings: Field / Option Description CAS Server Specify the location of your CAS server. Alternate Domain Suffix (Optional) Specify the domain suffix used in the UPN attribute for your users. This setting is only required if the domain suffix used for the UPN attribute is different to a user's primary email address. Office 365 Specifies that you'll use Office 365 to authenticate users.
This controls if 2-step authentication is enforced.
Value Description None 2-step authentication is not used, and the "Authentication TTL" field is displayed. We use time-to-live (TTL) functionality when authenticating users accessing our applications. To prevent users having to authenticate each and every time they log on, specify a time span after which users have to reauthenticate.This option is not available when more secure authentication methods are being enforced (e.g. "2Step Authentication" or "Enforce SAML Authentication for End User Applications"). 3rd Party App These options control the method used to authenticate users. Whichever option is selected, all users are forced to enter a security code before they can log on to Mimecast applications. Additionally, the "Disable 2-Step Authentication for Trusted IP Ranges" field is displayed, that allows you to specify trusted IP ranges from which users can log on without entering a verification code. SMS Enforce SAML Authentication for Administration Console If selected, administrators must log on to the Administration Console using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities. Enforce SAML Authentication for Mimecast Personal Portal If selected, users must log on to the Mimecast Personal Portal using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities. Enforce SAML Authentication for End User Applications If selected, users must log on to our end user applications using an Identity Provider (IdP), that offers 2-Factor Authentication (2FA) and / or Single Sign On (SSO) capabilities. Allow Integrated Windows Authentication (Mimecast for Outlook Only) If selected, Mimecast for Outlook uses the currently logged in users’ credentials to authenticate the connection. To use this feature you must:
- Be using Microsoft Exchange 2007 SP1 or later.
- Have a publicly available Client Access Server (CAS). A primary and secondary server must be specified in the fields displayed when this option is selected. Specify the complete EWS URL (e.g. https://domain.com/ews/exchange.asmx). Click on the Verify button to test the connection.
Permitted Application Login IP Ranges
If selected, you can specify the allowed source IP ranges for end user access to the Mimecast Personal Portals, Mimecast Synchronization Engine, and our end user application. The IP ranges are entered in the "Application Login IP Ranges (CIDR n.n.n.n/x)" field.
Permitted Gateway IP Ranges If selected, you can specify the allowed source IP ranges for SMTP and POP authentication attempts. The IP ranges are entered in the "Gateway Login IP Ranges (CIDR n.n.n.n/x)" field.
- Click on the Save and Exit button.