This guidance is outdated and has been superseded by the content in the Single Sign-On space.
If your organization is not using an Identity Provider (IdP) registered with Mimecast, it is possible to integrate SAML Authentication with other IdP's that support SAML 2.0.
This guide will provide the required information and steps to configure this.
What you will need
- Administrative access to your organization's Identity Provider.
- A Mimecast Administrator with edit permissions to the Services | Applications menu in the Administration Console.
Add a Mimecast Application to your Identity Provider
Typically this step will involve creating and publishing a new Application in your Identity Provider's Administration Console.
When creating this Application ensure that these values are set:
The SAML Audience, also referenced as an Identifier specifically relates to the setting that defines this element in a SAML response:
<Conditions NotBefore="2015-03-05T11:04:54.518Z" NotOnOrAfter="2015-03-05T12:04:54.518Z"> <AudienceRestriction> <Audience>host.domain.com.ACCOUNTCODE</Audience> </AudienceRestriction> </Conditions>
The values for the SAML Audience / Identifier for each Mimecast region and application are listed in the Audience section of the Global SAML URLs and Audience Values article.
The SAML destination, also referenced as an endpoint is the URL of the Mimecast application that the Identity Provider should send the SAML response to. Details of the destination URLs for each Mimecast application can be found in the Destination section of the Global SAML URLs and Audience Values article.
There are 2 destination URL's for each region and each application, one for Service Provider Initiated sign-on and one for Identity Provider Initiated sign-on.
Name ID Format
The NameID format is critical for a successful SAML authentication attempt as it is the attribute that Mimecast uses to identify the user in the response. This specifically relates to the following part of the SAML response:
<Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">firstname.lastname@example.org</NameID> </Subject>
As Mimecast identifies users by their primary email address it is critical that this attribute contains the email address of the requesting user.
Once you have configured your Identity Provider with the required settings you must configure an Authentication Profile in the Mimecast Administration Console. View the [OUTDATED] Configuring Mimecast SAML Authentication Settings article for guidance on this.