Configuring Single Sign-On for End User Applications Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Dec 30, 2015Last modified by user.oxriBaJeN4 Employee on Nov 1, 2017
Version 19Show Document
  • View in full screen mode

This guide describes the process to enable your users to use single sign-on to log in to end user applications using Microsoft Azure AD as the Identity Provider.

 

Introduction

If your UPN and primary email address are different, single sign-on will only work if your'e using Azure Premium. See the Troubleshoot User Name Issues That Occur for Federated Users When They Sign in to Office 365 page on the Microsoft website for further detail. If you aren't using Azure Premium, your UPN and primary email address must be the same for single sign-on to work.

Single sign-on is supported in the following end user applications:

  • Mimecast for Outlook 6.1 and later.
  • Mimecast Mobile 3.1 and later. Windows Phone is not supported.
  • Mimecast for Mac 2.4 and later.
  • Mimecast Partner Portal.
We recommend reading the Understanding Enforce SAML Authentication for End User Applications page to learn about the impact of enabling single sign-on.

Walkthrough

 

Configuring / Creating an Azure AD Application

 

Before you can configure the Mimecast settings, an Azure AD application must exist to accept service provider initiated SAML requests from us. If you've previously done this for another Mimecast application:

  1. Copy the Metadata URL from the previous setting and use it on the new application.
  2. Import the certificate.


Creating an Azure AD ApplicationIf you haven't created an Azure AD application:

  1. Create an application:
    Refer to the "Create an Azure Active Directory Application" section of the Create Identity for Azure App in Portal page in the Microsoft Azure AD documentation when completing this step.
    1. Enter a Name for the application (e.g. "Mimecast End User Applications")
    2. Select Web App / API from the Application Type option.
    3. Enter https://xx-api.mimecast.com/login/saml in the Sign-On URL field (where xx is your location code. For example, "eu" for Europe, "us" for United States, "za" for South Africa, "au" for Australia, or "jer" for Offshore).
    4. Click on the Create button.
  2. Register the application:
    Refer to the How to Configure Azure Active Directory Authentication for your App Services Application page in the Microsoft Azure AD documentation when completing this step.

    The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.

    1. Set the Home Page URL using the value for your grid from the table below:
    2. Set the App ID URL using the value for your grid from the table below:
      RegionValue
      Europehttps://eu-api.mimecast.com/sso/ACCOUNTCODEWhere ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console.
      United Stateshttps://us-api.mimecast.com/sso/ACCOUNTCODE
      South Africahttps://za-api.mimecast.com/sso/ACCOUNTCODE
      Australiahttps://au-api.mimecast.com/sso/ACCOUNTCODE
      Offshorehttps://jer-api.mimecast.com/sso/ACCOUNTCODE
    3. Note the Federation Metadata Document link. This is used in the next section to configure the Mimecast settings.

 

Configuring Mimecast Settings

 

Once you've an Azure AD application to support Single Sign-On, you need to configure an authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature.

 

SAML Settings

 

  1. Authentication profilesLog on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Either:
    • Select an Authentication Profile to change it.
    • Click on the New Authentication Profile button to create a new one.
  6. Enter a Description for the new profile.
  7. Ensure the Enforce SAML Authentication for End User Applications option is selected.
  8. Complete the SAML Configuration for End User Applications section, using the following settings:

    Field / OptionSetting
    ProviderAzure Active Directory
    Metadata URL

    Enter the Federated Data Document from step 2c from the "Configuring / Creating an Azure AD Application" section above, and click on the Import button.

    Azure AD typically hosts more than one Identity Provider Certificate. In this situation you're presented with a screen allowing you to select which certificate to use. Select the certificate with the latest Expire On date. The Issuer URL, Login URL, and Identity Provider Certificate Metadata is automatically added to your Authentication Profile.
    Monitor Metadata URL

    This requires a valid Metadata URL, and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.

    Whilst selecting this option isn't necessary in order to properly configure Azure SAML, it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
    Logout URLDon't specify a value. Mimecast only supports basic URL redirect logout methods. Azure AD is known to require a more advanced method that is not currently supported.
    Allow Single Sign OnSelect this option.
    Use Password Protected ContextDeselect these options.
    Use Integrated Authentication Context

 

Optionally Define Permitted IP Ranges

 

To add an additional layer of security, Mimecast provides optional permitted IP range settings for the administration console, end user applications, and gateway authentication attempts.

 

To configure permitted IP ranges for the administration console:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Account | Account Settings menu item
  4. Expand the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  6. Select Save to apply the new settings.

 

To configure permitted IP ranges for end user applications:

  1. Select the Permitted Application Login IP Ranges option.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

To configure permitted IP ranges for gateway authentication using SMTP or POP:

  1. Select the Permitted Gateway Login IP Ranges option.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An authentication profile is applied to a group of users, but a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. See the Authentication Options space for information on other authentication methods.

 

Applying the Authentication Profile to an Application Setting

 

Once your authentication profile is complete, you must reference it in an application setting for it to be applied. To do this:

  1. Application_Settings_select_Authentication_Profile.pngLog on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Application Setting that you want to use via the Lookup button.
  5. Select Save and Exit to apply the change.

 

Testing Your Configuration

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

 

To test in Mimecast for Outlook:

  1. Open Microsoft Outlook.
  2. Click on the Account Settings icon from the Mimecast ribbon.
  3. Click on the Single Sign-On button.
  4. Click on the Login button. You're directed to the Microsoft Azure Login URL.
  5. Once successfully authenticated return to the Account Options page and see that the status is "Validated".

 

To test in Mimecast Mobile or Mimecast for Mac:

  1. Open the application.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated to Azure, you'll be granted access to Mimecast.

 

 

To test in Mimecast Partner Portal:

  1. Go to the Mimecast Partner Portal logon page.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated to Azure, you'll be granted access to Mimecast.
1 person found this helpful

Attachments

    Outcomes