[OUTDATED] Configuring Mimecast SAML Authentication Settings

Document created by user.oxriBaJeN4 Employee on Oct 23, 2015Last modified by user.oxriBaJeN4 Employee on Dec 30, 2015
Version 4Show Document
  • View in full screen mode

This guidance is outdated and has been superseded by the content in the Single Sign-On space.

Once your Identity Provider is configured, Mimecast SAML Authentication settings are applied to a group of users using an Authentication Profile.

SAML Authentication is an enforced method for all users subject to the settings defined in the Authentication Profile, for the relevant application.

 

When you first enable SAML Authentication, particularly for the Administration Console, consider applying it to a test user before enabling it for all Administrators.

 

This will prevent you locking yourself out of the Administration Console in the case of a configuration issue.

Create an Authentication Profile

Login to the Administration Console, navigate to the Services | Applications menu, and select the Authentication Profiles button.

Authentication_Profiles_Button.png

  1. Select an existing Authentication Profile or select the New Authentication Profile button.
  2. Enter a Description for the new profile.

 

SAML Authentication Settings

 

Select which application to enable SAML Authentication for using either the,

 

  1. Enforce SAML Authentication for Administration Console and / or Enforce SAML Authentication for Mimecast Personal Portal options and / or Enforce SAML Authentication for End User Applications
    SAML_Settings_ADCON.png
  2. Select a *Provider from the drop down menu.
  3. If your *Identity Provider publishes Federation Metadata for the Application you have created, enter it in the Metadata URL field and click Import. This will populate the SAML signing certificate, Issuer URL, and Login URL from your *Identity Provider.

    Manually Setting Options

     

    If your *Identity Provider does not publish Federation Metadata or if Mimecast cannot reach this URL you can enter these values manually.

     

    When populating the *Identity Provider Certificate you must trim the Begin and End tags from the certificate meta data.

  4. Optionally select Monitor Metadata URL. This option requires a valid Metadata URL and will check that your Authentication Profile contains the current Identity Provider certificate and settings, to prevent unexpected issues when these change at your *Identity Provider. Checks are carried a maximum of once per day and is initiated when a user logs in. If a user with this Authentication Profile applied does not login on a given day the metadata will not be checked.
  5. Optionally specify the Logout URL. Mimecast supports basic URL redirect logout methods. AD FS and Azure AD are known to require a more advanced method that is not currently supported.
  6. Optionally define which Authentication Context to use. By default both password protected and integrated contexts are used.

    These settings define the AuthNContextClass that is used in the SAML request provided by Mimecast and sent to the Identity Provider. Mimecast supports the Password Protected Transport and Windows Integrated contexts or a combination of both. This setting will be driven by the context that your Identity Provider expects / requires.

     

    For example, Windows Azure AD only accepts one context. This setting allows you to define which one to use.

  7. Choose to Allow Single Sign On. This setting enables / disables *Identity Provider Initiated Sign On and is only applicable to the Administration Console and Mimecast Personal Portal.
  8. Optionally decide to Enforce Identity Provider Logout on Application Logging Out.

    This feature is currently only supported in the Administration Console, it is not supported in the Mimecast Personal Portal. The feature will only work if the *Identity Provider explicitly publishes a URL to be used for this function.

*Provider - use the Other option when using an Identity Provider that is not registered with Mimecast.

 

Optionally define Permitted IP Ranges

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

 

  1. Login to the Administration Console.
  2. Navigate to the Account | Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Application Login IP Ranges.
  6. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu.
  3. Select the Authentication Profiles button.
  4. To edit an existing Authentication Profile select it from the list. Alternatively, to create a new profile select the New Authentication Profile button.
  5. Select the check box to enable Permitted Gateway Login IP Ranges.
  6. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  7. Select Save and Exit to apply the new settings.

 

Other options

An Authentication Profile is applied to a group of users.

 

A given user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile.

SAML Authenticaton is an enforced authentication method, consequently other Authentication Options will only apply to applications that do not support SAML.

 

Apply the Authentication Profile to an Application Setting

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

 

  1. Login to the Administration Console.
  2. Navigate to the Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

 

Administration Console and Mimecast Personal Portal

When using Service Provider Initiated SAML Authentication your users must access the Mimecast Personal Portal and Administration Console using the regional URLs for the respective web application.

Due to the differences between each Identity Provider's implementation of SAML, Mimecast does not support this authentication type when using the global URLs:

 

To test your configuration and verify that your Authentication Profile has been configured correctly, open a web browser and navigate to the web application that you have configured SAML Authentication for, either the Administration Console or the Mimecast Personal Portal and enter your primary email address.

 

You should be redirected to the Identity Provider login URL specified in the Authentication Profile.

 

If required login to your Identity Provider. You should then be redirected to the Mimecast application and granted access.

 

To test Identity Provider Initiated Sign On, navigate to your Identity Provider and login. From the published applications page select the relevant Mimecast application. You should be redirected to the Mimecast application and granted access.

 

Mimecast for Outlook (6.1 and later)

 

To test your configuration and verify that your Authentication Profile has been configured correctly, open Outlook and open the Account Options dialogue from the Mimecast ribbon or by clicking the Status Panel in the bottom left of the Outlook window.

 

You should see the Single Sign-On button available to be selected.

 

Click the Single Sign-On button followed by the Login button and you should be redirected to the configured Identity Provider. Once successfully authenticated you should be returned to the Account Options page and see that the status is Validated.

Attachments

    Outcomes