[OUTDATED] Configure Okta for use with Mimecast SAML Authentication

Document created by user.oxriBaJeN4 Employee on Sep 8, 2015Last modified by user.oxriBaJeN4 Employee on Dec 30, 2015
Version 4Show Document
  • View in full screen mode

This guidance is outdated and has been superseded by the content in the Single Sign-On space.

This guide will explain how to configure Mimecast SAML Authentication using Okta as an Identity provider.

Recommended Reading

Configuring Okta

  1. Login to your Okta Administration Console.
  2. Navigate to Administration | Applications | Add Application.
    Okta_Add_Application.png
  3. Search for Mimecast or locate the Mimecast apps in the Security category.
    Okta_Applications_Mimecast.png
  4. Click Add for the Administration Console or Mimecast Personal Portal application.
  5. Enter a suitable Application Label. This is the name that will be displayed to your users. Okta will only display up to 18 characters to your users.
  6. Enter the Base Domain. This is the URL for the Administration Console or Mimecast Personal Portal for the region where your Mimecast account is hosted:

    Okta_General_Settings.png
  7. Select Next.
  8. Assign the Application to the appropriate users and select Next.
  9. Check if the Username matches the primary email address of the users and click Done.
  10. Select the Sign On tab and check if the Default username format is correct. By default the Okta username is the email address of the user. If this does not match the primary email address of the user, please click Edit and select the appropriate option before you click Save.
    Okta_Sign_on_Methods.png
  11. Select the View Setup Instructions on the Sign On tab. A new tab will open that holds the IdP Metadata. Copy the IDP Metadata into a text file or download the Metadata using the Identity Provider metadata link.
    Okta_MPP_View_Metadata.png
    or
    Okta_View_Setup_Instructions.png
  12. Check the Import, People and Groups tabs and ensure you configure the app appropriately for your users before you save your changes (where applicable).

 

Create an Authentication Profile

Login to the Administration Console, navigate to the Services | Applications menu, and select the Authentication Profiles button.

Authentication_Profiles_Button.png

  1. Select an existing Authentication Profile or select the New Authentication Profile button.
  2. Enter a Description for the new profile.

 

SAML Settings

  1. Select enable Enforce SAML Authentication for Administration Console or Enforce SAML Authentication for MPP.
  2. Select Okta in the Provider drop down.
  3. Enter the Metadata URL of the app you have configured in Okta.

    An example URL is https://example.okta.com/app/identifier/sso/saml/metadata.

     

    This is the URL you have copied in the steps above. Do this for both the SAML configuration settings for the Administration Console and MPP if you want to enforce SAML Authentication for both. The Import will automatically populate the below mentioned fields except for the Logout URL.

  4. Alternatively, you can specify the values manually by visiting the Issuer URL and downloading the metadata. Open the downloaded file and configure the Authentication Profile using the details found on the downloaded metadata:
    1. Enter the Entity ID URL as the Issuer URL in Mimecast.
    2. Enter the HTTP-POST URL as the Login URL in Mimecast.
    3. Enter the Logout URL in Mimecast. Most commonly this is the URL you get re-directed to when you log out of our Identity Provider (IdP).
    4. Enter the ds:X509Certificate as the Identity Provider Certificate (Metadata) in Mimecast.
  5. Optionally select to Allow Single Sign On to enable Identity Provider initiated SAML authentication.
  6. Optionally enable Enforce Identity Provider Logout on Application Logging Out.

 

Optionally define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

 

  1. Login to the Administration Console.
  2. Navigate to the Account | Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other options

An Authentication Profile is applied to a group of users.

 

A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

The configuration is now complete and users with this Authentication Profile applied should be redirected to Okta when attempting to login to the application(s) that you have enabled SAML Authentication for.

SAML Authentication will be enforced for the address Group configured in the Application Setting, and the email addresses within the Group will only be able to logon to the Mimecast Administration Console and / or Mimecast Personal Portal using SAML. If for any reason your Identity Provider (IdP) is not available or there is an issue with SAML Authentication, the addresses will not be able to logon. Mimecast recommends that you create an emergency non-SAML Authentication logon for the Administration Console that will allow you to update the Authentication Profile configuration if experiencing these issues.

Attachments

    Outcomes