Identity Provider (IdP) Single Sign-On

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on May 23, 2017
Version 16Show Document
  • View in full screen mode

If your organization uses a third party identity provider for authentication, you can integrate this with Mimecast. This provides a Single Sign On (SSO) experience for users to access the Mimecast Personal Portal, Administration Console, Mimecast for Outlook, Mimecast Mobile, and Mimecast for Mac.

Mimecast uses industry standard Security Assertion Markup Language (SAML) 2.0 for Single Sign On integration.

Benefits of Identity Provider Single Sign On

 

  • Provide a Single Sign-On experience for users to access the Mimecast Personal Portal and Administration Console.
  • Offset authentication focused security policies to a central location.
  • Provides Multi-Factor Authentication capability if the third party Identity Provider your organization uses supports this.
  • Enabled via Authentication Profiles allowing flexibility in regards to which users should use the authentication method.

 

Authentication Workflows

 

Service Provider (SP) Initiated SAML Single Sign-On

 

Supported Applications

  • Mimecast Personal Portal
  • Administration Console
  • Mimecast for Outlook 6.1 and later
  • Mimecast Mobile 3.1 and later
    • Mimecast for Mac 2.4 and later

    When using Service Provider Initiated SAML Authentication, your users must access the Mimecast Personal Portal and Administration Console using the regional URLs for the respective web application. Due to the differences between each Identity Provider's implementation of SAML, Mimecast does not support this authentication type when using the global URLs:

    1. sso1.pngA user accesses the Mimecast Personal Portal or the Administration Console and enters their primary email address.
    2. Mimecast discovers the correct Authentication Profile for the user.
    3. When SAML Authentication is enforced in the user's effective Authentication Profile, Mimecast generates a SAML 2.0 AuthnRequest and redirects the user's browser to the *Identity Provider's login URL.
    4. If the user is not already authenticated with the *Identity Provider the user is prompted to authenticate. Alternatively, if the user is already authenticated with the *Identity Provider they will not need to authenticate again.
    5. Once the user is authenticated a SAML response is generated by the *Identity Provider and posted back to the Mimecast application via the user's browser.
    6. Mimecast verifies the SAML response.
    7. The authentication process completes and the user is granted access to the Mimecast application.

     

    Identity Provider (IdP) Initiated SAML Single Sign-On (SSO)

     

    Supported Applications

    • Mimecast Personal Portal
    • Administration Console

     

    1. sso2.pngA user browses to the *Identity Provider's login page
    2. The *Identity Provider authenticates the user.
    3. The user selects the Mimecast application to access from the *Identity Provider's application catalogue page, and the *Identity Provider generates a SAML assertion which is sent to the selected Mimecast application via the user's browser.
    4. Mimecast accepts the request, establishes who the identity of the user from the NameID element of the SAML assertion, discovers the user's effective Authentication Profile and verifies the request.
    5. The authentication process completes and the user is granted access to the Mimecast application.
    1 person found this helpful

    Attachments

      Outcomes