Single Sign-On (SSO)

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on Feb 6, 2018
Version 20Show Document
  • View in full screen mode

If your organization uses a third party identity provider for authentication, you can integrate this with Mimecast. This provides a Single Sign On (SSO) experience for users to access the Mimecast Personal Portal, Mimecast Partner Portal, Administration Console, or any Mimecast end user application.

Mimecast uses industry standard Security Assertion Markup Language (SAML) 2.0 for SSO integration.

  

Identity Provider SSO provides the following benefits:

  • A Single Sign-On experience for users to access the Mimecast Personal Portal, Mimecast Partner Portal, Administration Console, or any Mimecast end user application.
  • Offsets authentication focused security policies to a central location.
  • A multi-factor authentication capability, if your third party Identity Provider supports this.
  • Allows flexibility by being enabled via Authentication Profiles, thereby controlling which users use the authentication method.

 

Supported Applications

 

The supported applications are:

 

ApplicationService Provider (SP) Initiated SAML SSOIdentity Provider (IdP) Initiated SAML SSO
Mimecast Personal PortalYesYes
Mimecast Partner PortalYesNo
Administration ConsoleYesYes
Mimecast for Outlook 7.0 and laterYesNo
Mimecast Mobile 3.1 and laterYesNo
Mimecast for Mac 2.4 and laterYesNo

 

Authentication Workflows

 

Two SSO authentication workflows are supported:

  • Service Provider (SP) Initiated SAML SSO
  • Identity Provider (IdP) Initiated SAML SSO

 

Service Provider (SP) Initiated SAML Single Sign-On

 

When using service provider initiated SAML authentication, your users must access the Mimecast Personal Portal and Administration Console using the application's regional URL. Due to the differences between each identity provider's implementation of SAML, Mimecast doesn't support this authentication type when using the global URLs. See the Mimecast Data Centers and URLs page for full details. 

 

  1. sso1.pngA user accesses the Mimecast Personal Portal or the Administration Console and enters their primary email address.
  2. Mimecast discovers the correct Authentication Profile for the user.
  3. When SAML Authentication is enforced in the user's effective Authentication Profile, Mimecast generates a SAML 2.0 AuthnRequest and redirects the user's browser to the *Identity Provider's login URL.
  4. If the user is not already authenticated with the *Identity Provider the user is prompted to authenticate. Alternatively, if the user is already authenticated with the *Identity Provider they will not need to authenticate again.
  5. Once the user is authenticated a SAML response is generated by the *Identity Provider and posted back to the Mimecast application via the user's browser.
  6. Mimecast verifies the SAML response.
  7. The authentication process completes and the user is granted access to the Mimecast application.

 

Identity Provider (IdP) Initiated SAML Single Sign-On (SSO)

 

  1. sso2.pngA user browses to the *Identity Provider's login page
  2. The *Identity Provider authenticates the user.
  3. The user selects the Mimecast application to access from the *Identity Provider's application catalog page, and the *Identity Provider generates a SAML assertion which is sent to the selected Mimecast application via the user's browser.
  4. Mimecast accepts the request, establishes who the identity of the user from the NameID element of the SAML assertion, discovers the user's effective Authentication Profile and verifies the request.
  5. The authentication process completes and the user is granted access to the Mimecast application.
1 person found this helpful

Attachments

    Outcomes