[OUTDATED] Configure AD FS for use with Mimecast SAML Authentication

Document created by user.oxriBaJeN4 Employee on Sep 9, 2015Last modified by user.oxriBaJeN4 Employee on Dec 30, 2015
Version 4Show Document
  • View in full screen mode

This guidance is outdated and has been superseded by the content in the Single Sign-On space.

This guide will explain how to configure Mimecast SAML Authentication using Active Directory Federation Services (AD FS) as an Identity provider.

Recommended Reading

Supported AD FS versions

VersionHost Operating System
2.0Windows Server 2008 R2
2.1Windows Server 2012
3.0Windows Server 2012 R2

 

Configuring AD FS

Depending on which Mimecast service you wish to expose to your users you will need to create a Relying Party Trust for each application.

Creating the Relying Party Trust

  1. On your AD FS server, open the AD FS Management Console
  2. Expand the Trust Relationships node and select Relying Party Trusts:
    AD_FS_Management_Console.png
  3. Select Add Relying Party Trust... from the Actions pane on the right hand side of the AD FS management console.
  4. On the Select Data Source page of the wizard, select to Enter data about the relying party manually and click Next.
    AD_FS_Select_Data_Source_Manual.png
  5. Enter a display name, for example "Mimecast MPP" and click Next.
    adfs_display_name.png
  6. Leave the default AD FS Profile selected and click Next.
  7. Leave the Configure a certificate blank and click Next.
  8. Leave the Configure URL blank and click Next.
  9. Add a Relying Party Trust Identifier. The value that you should use here depends on the application you are setting up and the region that your organization's MImecast account is hosted. Please see the Audience section of the Global SAML URLs and Audience Values article for details on which value to use when.
  10. Permit all users to access the relying party trust and click Next.
  11. Complete the wizard by selecting Next and then Finish.
  12. Right click the newly created trust and select Properties then navigate to the Endpoints tab.
    adfs_endpoints.png
  13. To enable Identity Provider (IdP) initiated authentication add an endpoint as Index 0 with:
    1. the SAML Assertion Consumer endpoint type,
    2. and POST binding from the Destination section of the Global SAML URLs and Audience Values article that corresponds to the application you are configuring and region where your Mimecast account is hosted.
  14. To enable Service Provider (SP) initiated authentication add another endpoint as Index 1 with:
    1. the SAML Assertion Consumer endpoint type,
    2. and POST binding from the from the Destination section of the Global SAML URLs and Audience Values article that corresponds to the application you are configuring and region where your Mimecast account is hosted.

      Once both endpoints have been added ensure the IdP endpoint (ending in ?action=sso) is set as the default endpoint

  15. Click OK twice to apply the configuration.

 

Edit Claims Rules

  1. From the Trust Relationships | Relying Party Trusts node, select the previously created Mimecast trust.
  2. Click Edit Claims Rules... from the Actions pane to launch the Edit Claims Rules dialog box.
  3. On the Issuance Transform Rules tab, click the Add Rule... button:
    AD_FS_Claims_Rule_Issuance_Transform.png
  4. Leave the default Send LDAP Attributes as Claims selected and click Next.
  5. Enter a name for the Claim Rule, select Active Directory as your Attribute store and then add the following rule as displayed in the table below:
    LDAP AttributeOutgoing Claim Type
    Email AddressName ID
  6. Once complete your Claims Rule should look like this:
    adfs_claim_example.png
  7. Click Finish.

 

Next Steps

Once you have configured AD FS with the required settings you must configure an Authentication Profile in the Mimecast Administration Console. View the [OUTDATED] Configuring Mimecast SAML Authentication Settings article for guidance on this.

Attachments

    Outcomes