Mimecast Personal Portal: Configuring Single Sign-On Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Dec 30, 2015Last modified by user.oxriBaJeN4 Employee on Aug 21, 2017
Version 16Show Document
  • View in full screen mode

This guide describes how to enable your users to use Single Sign-On (SSO) to log in to the Mimecast Personal Portal using Microsoft Azure Active Directory (AD) as the identity provider.

When using Azure AD, the UPN and primary email address must be the same for SSO to work. See the Microsoft support article:

https://support.microsoft.com/en-us/kb/2392130 for further details.

  

Supported Configurations

 

Service Provider Initiated SAML

 

Mimecast supports service provider initiated SSO only when using Microsoft Azure AD as an identity provider. With this model:

  • Users open Mimecast Personal Portal in a web browser.
  • Users enter their primary email address to start the log on process.
  • Users are redirected to Microsoft Azure.
  • Depending on the user's status, the browser used, and your environment; Microsoft Azure decides if the user is authenticated already.
    • If Microsoft Azure decides the user is authenticated, the user is redirected back to Mimecast Personal Portal and granted access.
    • If Microsoft Azure decides the user isn't authenticated, they must log on to Microsoft Azure before being redirected back to the Mimecast Personal Portal and granted access.

 

Azure My Apps Portal

 

If you create an application in Microsoft Azure, it is possible for it to be published to the Azure My Apps portal. After following the steps in this guide the following behavior is supported:

  • Users navigate to the Azure My Apps portal and log on.
  • Users select the Mimecast application, and are redirected to the Mimecast log on page.
  • Users enter their primary email address and select Next.
  • The user's web browser is redirected to Microsoft Azure, and immediately redirected back to the Mimecast application and granted access, as they will already be authenticated with Microsoft Azure.

 

Authentication Contexts

 

An authentication context is defined as part of the SAML request generated by Mimecast, and posted to Microsoft Azure after the user enters their primary email address in the Mimecast application. When integrating with Microsoft Azure, Mimecast supports the following contexts:

  • Password Protected
  • Windows Integrated
  • None

 

The decision on which context to use depends on how your organization is setup.

 

Organization Setup
Recommended Authentication ContextExpected behavior
Microsoft Azure AD / Office 365 StandalonePassword ProtectedRegardless of the web browser used, users should be logging on to Microsoft Azure using a combination of their email address and password.

Microsoft Azure AD / Office 365 Federated with an On Premise ADFS Environment

None

User's will typically be using Internet Explorer on a domain joined computer, and expecting to have Windows integrated authentication manage access to your organization's applications. We recommend not setting an Authentication Context in this scenario for the following reasons:

  • Not doing so maintains flexibility for users to use different web browsers and devices to access the Mimecast application. 
  • Setting Password Protected in this environment is likely to break user's access when using Internet Explorer.
  • Setting Windows integrated in this environment, is likely to break user's access when using other web browsers or devices.

 

Configuring / Creating an Azure AD Application

 

Before configuring your Mimecast settings, an Azure AD application must exist to accept Service Provider Initiated SAML requests from us.

 

If you've previously done this for another Mimecast application:

  1. Copy the Metadata URL from the previous setting.
  2. Use it on the new application.
  3. Import the certificate.


Creating an Azure AD ApplicationIf you haven't created an Azure AD application:

  1. Create an application:
    Refer to the "Create an Azure Active Directory Application" section of the Create Identity for Azure App in Portal page in the Microsoft Azure AD documentation when completing this step.
    1. Enter a Name for the application (e.g. "Mimecast End User Applications")
    2. Select Web App / API from the Application Type option.
    3. Enter https://xx-api.mimecast.com/login/saml in the Sign-On URL field.
    4. Click on the Create button.
  2. Register the application:
    Refer to the How to Configure Azure Active Directory Authentication for your App Services Application page in the Microsoft Azure AD documentation when completing this step.

    The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.

  3. Note the Federation Metadata URL link. This is used in the next section to configure the Mimecast settings.

 

Add Support for Azure My Apps Portal (Optional)

 

In order for the workflow for the Azure My Apps portal to function as described above follow these steps.

  1. Log on to the Microsoft Azure Management Portal.
  2. Navigate to your Active Directory.
  3. Select the application you have created for the Mimecast Personal Portal.
  4. Edit the application to use the SIGN-ON URL to the Mimecast Personal Portal URL for your region.
  5. Select Save.

 

Authentication profileConfiguring Your Mimecast Settings

 

Once Microsoft Azure is set up to support Single Sign-On, you need to configure a authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu.
  4. Click on the Authentication Profiles button.
  5. Either:
    • Select an Authentication Profile to update it.
    • Click on the New Authentication Profile button to create a new one.
  6. Enter a Description for the new profile.
  7. Select Enforce SAML Authentication for Mimecast Personal Portal.
  8. Complete the SAML Settings for Mimecast Personal Portal section as follows:
    Field / OptionSetting
    ProviderAzure Active Directory
    Metadata URLEnter the "Federation Metadata URL" copied when creating the Azure AD application, and click on the Import button.

    Azure AD typically hosts more than one Identity Provider Certificate. Where this is true, a dialog is displayed allowing you to select the certificate you want to use. Select the certificate with the latest Expire On date.

      
    Monitor Metadata URLSelected

    Selecting this isn't necessary, but it greatly increases the chances of success. If not selected, you must correctly select a certificate presented by Microsoft.

      
    Logout URLLeave blank. We only support basic URL redirect logout methods, whilst Azure AD is known to require a more advanced method.
  9. Select the Authentication Context to use.
  10. Click on the Save and Exit button.

 

Defining Permitted IP Ranges

 

To add an additional layer of security, we provide optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Account | Account Settings menu item.
  4. Open the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  6. Click Save to apply the new settings.

 

To configure Permitted IP Ranges for End User Applications:

  1. Select the check box to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Select the check box to enable Permitted Gateway Login IP Ranges.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An authentication profile is applied to a group of users, and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. See the Authentication Options space for information on other authentication methods.

 

Applying the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Application Setting that you want to use. Use the Lookup button to find the Authentication Profile you want to reference, and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Click on the Save and Exit button.

 

Testing Your Configuration

When using service provider initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL. However due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.

To test your configuration and verify that your Authentication Profile has been configured correctly,

    1. Open a web browser and navigate to the Mimecast Personal Portal.
    2. Enter your primary email address.
    3. You should be redirected to the Microsoft Azure Login URL specified in the Authentication Profile.
    4. If required, log on to Microsoft Azure.
    5. You should be redirected to the Mimecast Personal Portal and granted access.

Attachments

    Outcomes