Configuring Single Sign-on for End User Applications using AD FS

Document created by user.oxriBaJeN4 Employee on Dec 14, 2015Last modified by user.oxriBaJeN4 Employee on Sep 15, 2017
Version 22Show Document
  • View in full screen mode

This guide explains how to configure Single Sign-On for the End User Applications using Active Directory Federation Services (AD FS) as an Identity Provider.

Single Sign-On is supported in the following Mimecast End User Applications:

  • Mimecast for Outlook 6.1 and later
  • Mimecast Mobile 3.1 and later
    • Windows Phone is not supported
  • Mimecast for Mac 2.4 and later
  • Mimecast Partner Portal

 

Ensure you view the Understanding Enforce SAML Authentication for End User Applications guide to learn about the impact of enabling this setting.

Supported AD FS Versions

 

VersionHost Operating System
4.0Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
3.0Windows Server 2012 R2
2.1Windows Server 2012
2.0Windows Server 2008 R2

 

Configuring AD FS

 

Create a Relying Party Trust

 

To create a relying party trust:

  1. On your AD FS server, open the AD FS Management Console.
  2. Expand the Trust Relationships node.
  3. Select Relying Party Trusts.
  4. Select Add Relying Party Trust... from the Actions pane on the right hand side of the AD FS management console.
  5. On the Select Data Source page of the wizard, select to Enter data about the relying party manually and click Next.

    AD_FS_Select_Data_Source_Manual.png
  6. Enter a display name, for example "Mimecast End User Apps" and click Next.
  7. Leave the default AD FS Profile selected and click Next.
  8. Leave the Configure a certificate blank and click Next.
  9. Leave the Configure URL blank and click Next.
  10. Enter a Relying Party Trust Identifier. Use the value for the region where your Mimecast account is hosted from the table below:

    RegionValue
    Europeeu-api.mimecast.com.ACCOUNTCODE
    United Statesus-api.mimecast.com.ACCOUNTCODE
    South Africaza-api.mimecast.com.ACCOUNTCODE
    Australiaau-api.mimecast.com.ACCOUNTCODE
    Offshorejer-api.mimecast.com.ACCOUNTCODE

    Where ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings menu item in the Administration Console.
    Due to a limitation with AD FS, if you've configured Relying Party Trusts for Mimecast Personal Portal or our End User Applications, ensure the entered value is unique. In most cases you can accomplish this by having the ACCOUNTCODE portion all upper case on one and lower case on another.
  11. Permit all users to access the relying party trust and click Next.
  12. Complete the wizard by selecting Next and then Finish.
  13. Right click the newly created trust, select Properties, and then navigate to the Endpoints tab.

    adfs_endpoints.png
  14. Select Add.
  15. In the Add an Endpoint dialogue configure the settings to support Service Provider Initiated authentication:
    1. Select SAML Assertion Consumer as the Endpoint Type.
    2. Select POST as the Binding.
    3. Select to Set the trusted URL as default.
    4. Leave the Index set to 0.
    5. Enter the Trusted URL. Use the value for the region where your Mimecast account is hosted from the table below:

    6. Select OK.
  16. Select OK to complete the configuration.

 

Edit Claims Rules

  1. From the Trust Relationships | Relying Party Trusts node, select the previously created Relying Party Trust.
  2. Select Edit Claims Rules... from the Actions pane to launch the Edit Claims Rules dialog box.
  3. On the Issuance Transform Rules tab, select the Add Rule... button:

    AD_FS_Claims_Rule_Issuance_Transform.png
  4. Leave the default Send LDAP Attributes as Claims selected and select Next.
  5. Enter a name for the Claim Rule, for example, Email Address as Name ID.
  6. Select Active Directory as your Attribute store.
  7. Add the following rule as displayed in the table below:

    LDAP AttributeOutgoing Claim Type
    Email AddressesName ID
  8. Once complete your Claims Rule should look like this:

    adfs_claim_example.png
  9. Select Finish to complete the configuration.

 

Configure Mimecast Settings

 

Now your AD FS server is configured to support the integration you need to Create / Update a Mimecast Authentication Profile.

 

SAML Settings

 

To configure the SAML Settings:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
    Authentication_Profiles_Button.png
  5. Select an existing Authentication Profile to update or select the New Authentication Profile button to create a new one.
  6. Enter a Description for the new profile.
  7. Select Enforce SAML Authentication for End User Applications.

    Authentication Profile End User Apps.png
  8. The screen expands to reveal the SAML Settings:

    Authentication Profile End User Apps Expanded.png
  9. Select AD FS from the Provider drop down list.
  10. Enter the Federation Metadata URL of your AD FS environment and select Import to automatically populate all of the required settings.
    • If Mimecast cannot reach this URL you can enter the Issuer URL, Login URL, and Identity Provider Certificate (Metadata) values manually. When populating the Identity Provider Certificate you must trim the Begin and End tags from the certificate metadata.
  11. Optionally select Monitor Metadata URL. This option requires a valid Metadata URL and will check that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change in AD FS.
    Checks are made a maximum of once per day and are initiated when a user logs in. If a user with this Authentication Profile applied does not login on a given day the metadata will not be checked.
  12. Do not specify the Logout URL. Mimecast only supports basic URL redirect logout methods. AD FS is known to require a more advanced method that is not currently supported.
  13. Optionally define which Authentication Context to use. By default both password protected and integrated contexts are used.
    These settings define the AuthNContextClass that is used in the SAML request provided by Mimecast and sent to your AD FS login URL. Mimecast supports the Password Protected Transport and Windows Integrated contexts or a combination of both.
  14. Choose to Allow Single Sign On. This setting enables / disables Identity Provider Initiated Sign On.

 

Optionally Define Permitted IP Ranges

 

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Open the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Select the check box to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Select the check box to enable Permitted Gateway Login IP Ranges.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.

 

Apply the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu.
  4. Select the Application Setting that you want to use.
  5. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  6. Select Save and Exit to apply the change.

 

Next Steps

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

 

Mimecast for Outlook

Applies to Mimecast for Outlook v6.2 and later.
  1. Open Outlook.
  2. If the logged in user has logged in to the computer using a domain account, your AD FS login URL is part of the Intranet Internet Explorer security zone, and the Outlook profile uses the same domain account:
    • Mimecast for Outlook 6.2 and later will attempt to automatically authenticate the user with your organization's AD FS server. There is a timeout of 15 seconds on this attempt.
    • If successful the user will be authenticated with Mimecast and granted access to the application.
    • If unsuccessful the user will receive a notification and should complete the following steps:
  3. Open the Account Options dialogue from the Mimecast ribbon or by clicking the Status Panel in the bottom left of the Outlook window.
  4. The user should see the Single Sign-On button available to be selected.
  5. Click the Single Sign-On button followed by the Login button and you'll be redirected to your AD FS Login URL.
  6. Once successfully authenticated you'll return to the Account Options page and see that the status is Validated.

 

Mimecast Mobile / Mimecast for Mac

Applies to Mimecast Mobile v3.1 and later and Mimecast for Mac v2.4 and later.
  1. Open the application.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using Active Directory, you'll be granted access to Mimecast.

 

Mimecast Partner Portal

 

  1. Go to the Mimecast Partner Portal logon page.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated using Active Directory, you'll be granted access to Mimecast.
1 person found this helpful

Attachments

    Outcomes