Configuring Single Sign-On for the Mimecast Personal Portal Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Dec 30, 2015Last modified by user.oxriBaJeN4 Employee on Jul 25, 2017
Version 11Show Document
  • View in full screen mode

This guide describes the process to enable your users to use Single Sign-On to login to the Mimecast Personal Portal v3 using Microsoft Azure Active Directory (AD) as the Identity Provider.

When using Azure AD, the UPN and primary email address must be the same for SSO to work, as mentioned in the following Microsoft support article:

https://support.microsoft.com/en-us/kb/2392130

Supported Configurations

 

Service Provider Initiated SAML

 

Mimecast supports Service Provider Initiated Single Sign-On only when using Microsoft Azure AD as an Identity Provider. In this model:

  • Users will navigate to the Mimecast Personal Portal in a web browser.
  • To start the login process users must enter their primary email address.
  • The user will then be redirected to Microsoft Azure.
  • Depending on the user's status, the browser used, and your environment; Microsoft Azure will decide if the user is authenticated already or not.
  • If Microsoft Azure decides that the user is authenticated the user will be redirected back to the Mimecast Personal Portal and granted access.
  • If Microsoft Azure decides that the user is not authenticated they will need need to login to Microsoft Azure before being redirected back to the Mimecast Personal Portal and granted access.

 

Azure My Apps Portal

 

When you create an application in Microsoft Azure AD it is possible for the application to be published to the Azure My Apps portal. After following the steps in this guide the following behaviour is supported:

  • Users navigate to the Azure My Apps portal and login.
  • Users select the Mimecast application and are redirected to the Mimecast login page.
  • Users must then enter their primary email address and select Next.
  • The user's web browser will be redirected back to Microsoft Azure and then immediately redirected back to the Mimecast application and granted access as they will already be authenticated with Microsoft Azure.

 

Authentication Contexts

 

An Authentication Context is defined as part of the SAML request generated by Mimecast and posted to Microsoft Azure after the user enters their primary email address in the Mimecast application.

 

When integrating with Microsoft Azure Mimecast supports the following contexts:

  • Password Protected or
  • Windows Integrated or
  • None

 

The decision on which context to use depends on how your organization is setup.

 

Organization Setup
Recommended Authentication ContextExpected behavior
Microsoft Azure AD / Office 365 standalonePassword ProtectedRegardless of the web browser used, users should be logging in to Microsoft Azure using a combination of their email address and a password.
Microsoft Azure AD / Office 365 federated with an on premises AD FS environmentNone

In this environment user's will typically be using Internet Explorer on a domain joined computer and expecting to have Windows Integrated authentication take of access to your organization's applications.

 

We recommend not setting an Authentication Context in this scenario to maintain flexibility for users to use different web browsers and devices to access the Mimecast Application.

 

Explicitly setting Password Protected in this environment is likely to break user's access when using Internet Explorer.

 

Equally, explicitly setting Windows Integrated in this environment is likely to break user's access when using other web browsers or devices.

 

Preparing Azure AD

 

Before you can configure the Mimecast settings, an Azure AD application must exist to accept Service Provider Initiated SAML requests from Mimecast. If you've previously done this for another Mimecast application, copy the Metadata URL from the previous setting and use it on the new application. Once completed, import the certificate.

 

If you haven't created an Azure AD application:

  1. Log in to the Microsoft Azure management portal.
  2. Select your organization's Active Directory.
  3. Select Applications.

    Azure AD Home.png
  4. A list of your organization's applications is displayed.
  5. Select to add an application from the action bar at the bottom of the screen. A wizard is launched.
  6. Select Add an application my organization is developing.

    Azure AD what do you want to do.png
  7. Enter a name for the application, for example, "Mimecast MPP" and leave the Web Application and/or web api Type selected. Select to continue.

    Azure AD tell us about your application.png
  8. Complete the App Properties page.

    Azure API App Properties.png
  9. Select the tick icon to complete the configuration.
  10. Select the newly created application from the list of Azure Applications. The application dashboard is displayed.
  11. Select the Enable Users to sign on link from the Get Started section.
  12. Note the FEDERATION METADATA DOCUMENT URL link. This is used in the next section to configure the Mimecast settings.

 

Add Support for Azure My Apps Portal (Optional)

 

In order for the workflow for the Azure My Apps portal to function as described in the supported configuration section above follow these steps.

  1. While signed in to the Microsoft Azure Management Portal navigate to your Active Directory.
  2. Select Applications.

    Azure AD Home.png
  3. Select the application you have created for the Mimecast Personal Portal.
  4. Select the CONFIGURE option.

    Azure App Configure.png
  5. Update the SIGN-ON URL to the Mimecast Personal Portal URL for your region.

  6. Select Save.

 

Configuring Mimecast Settings

 

Once Microsoft Azure is set up to support Single Sign-On, you need to configure a Mimecast Authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature.

 

SAML Settings

 

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu.
  4. Click on the Authentication Profiles button.

    Authentication profile
  5. Either:
    • Select an existing Authentication Profile to update it.
    • Click on the New Authentication Profile button to create a new one.
  6. Enter a Description for the new profile.
  7. Select Enforce SAML Authentication for Mimecast Personal Portal.

    Authentication Profile MPP SAML.png
  8. The screen expands to reveal the SAML Settings:

    Authentication Profile MPP Expanded Azure.png
  9. Select Azure Active Directory from the Provider drop down list.
  10. Enter the Federation Metadata URL copied at the end of the Preparing Azure AD section and select Import.
    • Mimecast has observed that Azure AD typically hosts more than one Identity Provider Certificate.
    • In this situation you are presented with a screen allowing you to select which certificate you would like to use.
    • Select the certificate with the latest Expire On date.
    • The Issuer URL, Login URL, and Identity Provider Certificate Metadata is automatically added to your Authentication Profile.
  11. Select Monitor Metadata URL. This option requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.
    Whilst selecting this option isn't necessary in order to properly configure Azure SAML, it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
  12. Do not specify the Logout URL. Mimecast only supports basic URL redirect logout methods. Azure AD is known to require a more advanced method that is not currently supported.
  13. Choose which Authentication Context to use. See the Authentication Contexts part of the Supported Configurations section in this guide to help you decide which setting to use. You may only select 1 or no contexts here.

 

Defining Permitted IP Ranges

 

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  5. Click Save to apply the new settings.

 

To configure Permitted IP Ranges for End User Applications:

  1. Select the check box to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Select the check box to enable Permitted Gateway Login IP Ranges.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.

 

Applying the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Log in to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Testing Your Configuration

When using service provider initiated SAML authentication, your users must access the Mimecast Personal Portal using the regional URL. However due to the differences between each identity provider's implementation of SAML, only the URLs mentioned in the Global SAML URLs and Audience Values page are supported.

To test your configuration and verify that your Authentication Profile has been configured correctly,

    1. Open a web browser and navigate to the Mimecast Personal Portal.
    2. Enter your primary email address.
    3. You should be redirected to the Microsoft Azure Login URL specified in the Authentication Profile.
    4. If required, login to Microsoft Azure.
    5. You should then be redirected to the Mimecast Personal Portal and granted access.

Attachments

    Outcomes