[OUTDATED] Configure OneLogin for use with Mimecast SAML Authentication

Document created by user.oxriBaJeN4 Employee on Sep 8, 2015Last modified by user.oxriBaJeN4 Employee on Dec 30, 2015
Version 2Show Document
  • View in full screen mode

This guidance is outdated and has been superseded by the content in the Single Sign-On space.

This guide will explain how to configure Mimecast SAML Authentication using OneLogin as an Identity provider.

Recommended Reading

Configuring OneLogin

  1. Logon to your OneLogin console.
  2. Navigate through to Apps > Find apps.
    Onelogin_Find_Apps.png
  3. Search for Mimecast or locate the Mimecast apps in the Security category.
    Onelogin_Find_Apps_Mimecast.png
  4. Click add for the Administration Console or for Mimecast Personal Portal.
  5. Enter a suitable display name that will be displayed to your users.
  6. Configure the additional options as applicable:
    Onelogin_Add_Mimecast_Admin.png
  7. Select Continue.
  8. Enter the Configuration section.
    Onelogin_Admin_App_Settings.png
  9. Select the Mimecast service where your Mimecast account is located. Do not click update yet.
    Onelogin_Sign_on_Method.png
  10. Select the Single Sign-on tab and copy the Issuer URL. Please ensure that you select Email as the Default values entry, as Mimecast requires users to logon using their primary email address. Do not click update yet.
  11. Enter the Access Control and Logins sections, ensuring you configure the apps for the appropriate users before you click Update.

A separate app needs to be created for the Administration Console and Mimecast Personal Portal.

Create an Authentication Profile

Login to the Administration Console, navigate to the Services | Applications menu, and select the Authentication Profiles button.

Authentication_Profiles_Button.png

  1. Select an existing Authentication Profile or select the New Authentication Profile button.
  2. Enter a Description for the new profile.

 

SAML Settings

  1. Select enable Enforce SAML Authentication for Administration Console or Enforce SAML Authentication for MPP.
  2. Select OneLogin in the Provider drop down.
  3. Enter the Metadata URL of the app you have configured in OneLogin.

    This is the Issuer URL from the OneLogin configuration.

     

    An example URL is https://app.onelogin.com/saml/metadata/XXXXX.

  4. Alternatively, you can specify the values manually by visiting the Issuer URL and downloading the metadata. Open the downloaded file and configure the Authentication Profile using the details found on the downloaded metadata:
    1. Enter the Entity ID URL as the Issuer URL in Mimecast.
    2. Enter the HTTP-POST URL as the Login URL in Mimecast.
    3. Enter the Logout URL in Mimecast. Most commonly this is the URL you get re-directed to when you log out of our Identity Provider (IdP).
    4. Enter the ds:X509Certificate as the Identity Provider Certificate (Metadata) in Mimecast.
  5. Optionally select to Allow Single Sign On to enable Identity Provider initiated SAML authentication.
  6. Optionally enable Enforce Identity Provider Logout on Application Logging Out.

 

Optionally define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.To configure Permitted IP ranges for the Administration Console:

  1. Login to the Administration Console.
  2. Navigate to the Account | Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

To configure Permitted IP Ranges for End User Applications:

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other options

An Authentication Profile is applied to a group of users.A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

 

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

The configuration is now complete and users with this Authentication Profile applied should be redirected to OneLogin when attempting to login to the application(s) that you have enabled SAML Authentication for.

SAML Authentication will be enforced for the address Group configured in the Application Setting, and the email addresses within the Group will only be able to logon to the Mimecast Administration Console and / or Mimecast Personal Portal using SAML. If for any reason your Identity Provider (IdP) is not available or there is an issue with SAML Authentication, the addresses will not be able to logon. Mimecast recommends that you create an emergency non-SAML Authentication logon for the Administration Console that will allow you to update the Authentication Profile configuration if experiencing these issues.

 

Attachments

    Outcomes