Mimecast Personal Portal: Configuring Single Sign On Using AD FS

Document created by user.oxriBaJeN4 Employee on Dec 14, 2015Last modified by user.oxriBaJeN4 Employee on Jul 25, 2017
Version 20Show Document
  • View in full screen mode

Supported AD FS Versions

 

VersionHost Operating System
2.0Windows Server 2008 R2
2.1Windows Server 2012
3.0Windows Server 2012 R2

 

Configuring AD FS

 

Creating a Relying Party Trust

 

To create a relying party trust:

  1. Open the AD FS Management Console on the server.
  2. Expand the Trust Relationships node.
  3. Select Relying Party Trusts.
  4. Select Add Relying Party Trust... from the Actions pane on the right hand side of the console. A wizard opens.
  5. Click Next to navigate to the Select Data Source page.
  6. Select the Enter Data About the Relying Party Manually option.

  7. Click the Next button to navigate to the Specify Display Name page.
  8. Enter a Display Name (e.g. Mimecast MPP).
  9. Click the Next button until you reach the Choose Issuance Authorization Rules page.
    The Choose Profile page can be left with the default AD FS profile selected. The Configure Certificate and Configure URL pages can be left blank.
  10. Enter a Relying Party Trust Identifier. Use the value for the region where your Mimecast account is hosted from the table below:

    RegionMPP v3
    Europeeu-api.mimecast.com.ACCOUNTCODE
    United Statesus-api.mimecast.com.ACCOUNTCODE
    South Africaza-api.mimecast.com.ACCOUNTCODE
    Australiaau-api.mimecast.com.ACCOUNTCODE
    Offshorejer-api.mimecast.com.ACCOUNTCODE

    Where ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings menu item in the Administration Console.
    Due to a limitation with AD FS, if you've configured Relying Party Trusts for Mimecast Personal Portal v3 or our End User Applications, ensure the entered value is unique. In most cases you can accomplish this by having the ACCOUNTCODE portion all upper case on one and lower case on another.
  11. Permit all users to access the relying party trust.
  12. Click the Next. button to navigate to the Ready to Add Trust page.
  13. Click the Next button to confirm you are ready.
  14. Click the Finish button to complete the wizard.

 

Configuring the Relying Party Trust

 

To configure the relying party trust:

  1. Right click the newly created trust. A popup menu is displayed.
  2. Click on the Properties menu item. The trust's properties are displayed.
  3. Click on the Endpoints tab.



  4. Click the Add button. The Add an Endpoint dialog is displayed.
  5. Configure the settings to support Identity Provider Initiated authentication to allow users to access the Mimecast Personal Portal from your AD FS portal:
    1. Select SAML Assertion Consumer as the Endpoint Type.
    2. Select POST as the Binding.
    3. Select to Set the Trusted URL as Default.
    4. Leave the Index set to "0".
    5. Enter the Trusted URL. Use the value for the region where your Mimecast account is hosted from the table below:

    6. Click the OK button. 
  6. Configure the settings to support Service Provider Initiated authentication to allow users to access the Mimecast Personal Portal by entering their email address into the Mimecast Personal Portal login page:
    1. Select SAML Assertion Consumer as the Endpoint Type.
    2. Select POST as the Binding.
    3. Do not select to Set the Trusted URL as Default.
    4. Set the Index to "1".
    5. Enter the Trusted URL. Use the value for the region that your Mimecast account is hosted from the table below:

    6. Click the OK button.
  7. Click the OK button to complete the configuration.

 

Editing Claims Rules

 

To edit the claim rules:

  1. Click on the new Relying Party Trust from the Trust Relationships | Relying Party Trusts node.
  2. Click Edit Claims Rules... from the Actions pane. The Edit Claims Rules dialog is displayed.
  3. Click the Add Rule button in the Issuance Transform Rules tab.
  4. Leave the default Send LDAP Attributes as Claims selected.
  5. Click the Next button.
  6. Enter a name for the Claim Rule (e.g. Email Address as Name ID).
  7. Select Active Directory as your Attribute store.
  8. Add a rule as displayed below:

    LDAP AttributeOutgoing Claim Type
    E-Mail-AddressesName ID
  9. Once complete your Claims Rule should look like this:

  10. Click the Finish button to complete the configuration.

 

Configuring Mimecast Settings

 

Now your AD FS server is configured to support the integration, you need to Create / Update an Authentication Profile.

 

SAML Settings

 

To configure your SAML settings:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.

  5. Either:
    • Select an existing Authentication Profile.
    • Click the New Authentication Profile button to create a new one following the instructions below.
  6. Enter a Description for the profile.
  7. Click the Enforce SAML Authentication for Mimecast Personal Portal option. The SAML Settings are displayed:

  8. Select AD FS from the Provider drop down list.
  9. Enter the Metadata URL of your AD FS environment.
  10. Click the Import button to automatically populate all of the required settings.
    If Mimecast cannot reach this URL, you can enter the Issuer URL, Login URL, and Identity Provider Certificate (Metadata) values manually. When populating the Identity Provider Certificate you must trim the Begin and End tags from the certificate metadata.
    • Optionally select Monitor Metadata URL. This requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change in AD FS.
      Checks are made a maximum of once per day and are initiated when a user logs in. If a user with this Authentication Profile applied does not log in on a given day the metadata is not checked.
    • Do not specify the Logout URL. Mimecast only supports basic URL redirect logout methods. AD FS is known to require a more advanced method that is not currently supported.
    • Optionally define which Authentication Context to use. By default both password protected and integrated contexts are used.
      These settings define the AuthNContextClass that is used in the SAML request provided by Mimecast and sent to your AD FS login URL. Mimecast supports the Password Protected Transport and Windows Integrated contexts or a combination of both.
    • Click on the Allow Single Sign On option to enable Identity Provider Initiated Sign On.

     

    Optionally Define Permitted IP Ranges

     

    To add an additional layer of security, Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

     

    To configure Permitted IP ranges for the Administration Console:

    1. Log in to the Administration Console.
    2. Click on the Administration menu item.
    3. Click on the Account | Account Settings menu item.
    4. Open the User Access and Permissions section.
    5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

     

    To configure Permitted IP Ranges for End User Applications:

    1. Log in to the Administration Console.
    2. Click on the Administration menu item.
    3. Click on the Services | Applications menu item.
    4. Select the Authentication Profiles button.
    5. Click the Permitted Application Login IP Ranges option.
    6. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
    7. Click the Save and Exit button.

     

    To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

    1. Log in to the Administration Console.
    2. Click on the Administration menu item.
    3. Click on the Services | Applications menu item.
    4. Select the Authentication Profiles button.
    5. Click the Permitted Gateway Login IP Ranges option.
    6. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
    7. Click the Save and Exit button.

     

    Other Options

     

    An Authentication Profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. Read the Authentication Options page for information on other authentication methods.

     

    Applying the Authentication Profile to an Application Setting

     

    Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied:

    1. Log in to the Administration Console.
    2. Click on the Administration menu item.
    3. Click on the Services | Applications menu item.
    4. Select the Application Setting that you want to use.
    5. Use the Lookup button to find the Authentication Profile you want to reference.
      Application_Settings_select_Authentication_Profile.png
    6. Click the Save and Exit button.

     

    Testing the Configuration

    When using service provider initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL. However due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.

    To test your configuration and verify that your Authentication Profile has been configured correctly,

    1. Open a web browser.
    2. Navigate to the Mimecast Personal Portal URL.
    3. Enter your Primary Email Address. You should be redirected to your AD FS log in URL specified in the Authentication Profile.
    4. If required, log in to your AD FS environment. You should be redirected to the Mimecast Personal Portal and granted access.

     

    To test Identity Provider Initiated Sign On,

    1. Navigate to your AD FS login page and log in.
    2. From the published applications page, select the Mimecast Personal Portal application you've created. You should be redirected to the Mimecast Personal Portal and granted access.
    1 person found this helpful

    Attachments

      Outcomes