Understanding Enforce SAML Authentication for End User Applications

Document created by user.zL0FB6L9lN Expert on Nov 10, 2015Last modified by user.zL0FB6L9lN Expert on Feb 19, 2016
Version 5Show Document
  • View in full screen mode

This article explains what to expect when the Enforce SAML Authentication for End User Applications setting is enabled in an Authentication Profile.

 

In this guide:

 

 

When to use this setting

Use this setting when you want users to use Single Sign-On to access a deployed Mimecast end user application. Please see the section below for the impact this has for each application.

 

Impact

When Enforce SAML Authentication for End User Applications is enabled on a user's effective Authentication Profile, the authentication method is enforced for all applications that use the MImecast API to gain access to Mimecast.

 

Users with the Authentication Profile applied will not be able to use a password based authentication method to access Mimecast from an end user application. The behavior observed for each Mimecast application is described below.

 

ApplicationDescription
Mimecast for Outlook v6.2 and later

Mimecast for Outlook v6.2 extends the capability introduced in v6.1 to add an automated authentication attempt, this allows users to be authenticated with Mimecast using your Identity Provider without any user intervention. In order for this automation to be attempted, the following conditions must be met:

 

  • The client computer must be a domain member.
  • The user must be logging in as a domain user.
  • The Outlook profile used must be the same as the logged in user.
  • The user should not already be authenticated with Mimecast or the current Authentication Key is expired.
  • The Identity Provider supports Windows Integrated Authentication, for example AD FS.

There is a 15 second timeout for automated authentication attempts.

When you enable the Enforce SAML Authentication for End User Applications setting, the following behaviour is expected:

 

New users:

  1. If the conditions outlined above are met, when Outlook starts the Mimecast application will automatically try to login to the login URL defined in the effective Authentication Profile.
  2. If successful the user will be granted access to Mimecast without intervention.
  3. If the conditions are not met or the automated authentication attempt fails the user must follow the steps below.
    1. Open the Mimecast for Outlook Account Options and find that the Single Sign-On option is available.
    2. When the user selects this option the authentication process starts and the user is redirected to the defined Identity Provider.
    3. Once successfully authenticated with the Identity Provider, Mimecast for Outlook verifies the response from the Identity Provider with Mimecast and the user is granted an authentication token.
    4. At this stage the user is considered authenticated and can use the application.

 

Existing users:

  1. If you enable this setting for users who are already using Mimecast for Outlook, the next time the user's Authentication Token expires the application will stop working and the user will not be able to access Mimecast. The time to live for an Authentication Token is defined in the Authentication TTL setting in the Authentication Profile.
  2. To recover from this scenario the user can simply restart Outlook and Mimecast for Outlook will detect that Single Sign-On has been enabled.
  3. At this stage the user will be considered a new user and can follow the process described in the previous section.
Mimecast Mobile - Supported in version 3.1 and later

New users:

  1. When the user enters their email address on the login screen and selects Next, they will be redirected to the Identity Provider login URL specified in the Mimecast Authentication Profile.
  2. Once successfully authenticated with the Identity Provider the user will be granted access to the Mimecast application.

 

Existing Users:

 

If the user has already authenticated with either their cloud or domain password and you want to switch to using Single Sign-On please, use the Revoking Application Authentication Sessions function to log users out of applications.

Mimecast for Mac - Supported in version 2.4 and later

New users:

  1. When the user enters their email address on the login screen and selects Next, they will be redirected to the Identity Provider login URL specified in the Mimecast Authentication Profile.
  2. Once successfully authenticated with the Identity Provider the user will be granted access to the Mimecast application.

 

Existing Users:

 

If the user has already authenticated with either their cloud or domain password and you want to switch to using Single Sign-On, please use the Revoking Application Authentication Sessions function to log users out of applications.

Mimecast for Outlook v6.1

New users:

  • When the user starts Outlook with Mimecast for Outlook installed they will be notified that they have not entered any credentials.
  • The user should then open the Mimecast for Outlook Account Options and find that the Single Sign-On option is available.
  • When the user selects this option the authentication process starts and the user is redirected to the defined Identity Provider.
  • Once successfully authenticated with the Identity Provider, Mimecast for Outlook verifies the response from the Identity Provider with Mimecast and the user is granted an authentication token.
  • At this stage the user is considered authenticated and can use the application.

 

Existing Users:

  • If you enable this setting for users who are already using Mimecast for Outlook, the application will stop working when the user's authentication token expires and the user will not be able to access Mimecast. The time to live for an Authentication Token is defined in the Authentication TTL setting in the Authentication Profile.
  • To recover from this scenario you will have to run through these steps:
    • Close Outlook.
    • Stop the Mimecast process from Task Manager.
    • Delete the msw.s3db file from the C:\Programdata\MImecast directory
    • Start Outlook.
  • At this stage the user will be considered a new user and can follow the process described in the previous section.

This use case will be improved in future releases of Mimecast for Outlook.

 

Legacy versions:

  • When a user starts Outlook with a version of Mimecast for Outlook less than 6.1 they will not be able to login with any authentication method.

    To prevent disruption to your service, do not use the Enforce SAML Authentication for End User Applications setting for users that do not have the required version of the application installed.

 

Authentication Tokens

When a user successfully authenticates using SAML Single Sign-On they are granted a secure authentication token, also known as a secure binding. This creates a security association between the user, the device, the application, and the Mimecast API.  The authentication token is used to verify the user in all subsequent requests made by the client to Mimecast.

 

The Authentication token issued by the Mimecast API as a result of a successful SAML authentication is considered secure. This means:

  • The user only has to complete the login process once per device.
  • The user will not be prompted to login when their password changes.
  • Additionally, the users credentials are not cached on the device as they are never required to access Mimecast.

A users access can be blocked by disabling the user in the Administration Console.

Continuity Considerations

In the scenario where your Identity Provider is unavailable users with this setting applied and who have not already authenticated will not able to login and use the application.

 

However, as a user only has to authenticate once per application, per device when using SAML Single-Sign-On, as long as the user authenticates while your Identity Provider is available, they will be able to continue using the application from that point onwards, regardless of the availability of:

  • The Identity Provider
  • Active Directory
  • Exchange / Office 365

For the best experience in a continuity scenario ensure that users are authenticated while your Identity Provider is available.

2 people found this helpful

Attachments

    Outcomes