End User Applications: Configuring SSO Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Dec 30, 2015Last modified by user.oxriBaJeN4 Employee on Jun 4, 2019
Version 31Show Document
  • View in full screen mode

This guide describes how to enable your users to use Single Sign-On (SSO) to log on to our end user applications using Microsoft Azure Active Directory (AD) as the identity provider.

 

Introduction

If your UPN and primary email address are different, Single Sign-On will only work if you're using Azure Premium. See the Troubleshoot User Name Issues That Occur for Federated Users When They Sign in to Office 365 page on the Microsoft website for further detail. If you aren't using Azure Premium, your UPN and primary email address must be the same for Single Sign-On to work.

Single Sign-On is supported in the following end user applications:

  • Mimecast for Outlook 7.0 and later.
  • Mimecast Mobile 3.1 and later. Windows Phone is not supported.
  • Mimecast for Mac 2.4 and later.
  • Mimecast Partner Portal.
We recommend reading the Understanding Enforce SAML Authentication for End User Applications page to learn about the impact of enabling Single Sign-On.

Walkthrough

 

 

Configuring / Creating an Azure AD Application

 

See the Creating / Configuring a Microsoft Azure AD Application  page for full details.

 

Configuring Mimecast Settings

 

Once you have an Azure AD application to support Single Sign-On, you need to configure an authentication profile. This profile is applied to the users that you want to use Single Sign-on with the Applications Settings feature.

 

SAML Settings

 

  1. Authentication profilesLog on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Either:
    • Select an Authentication Profile to change it.
    • Click on the New Authentication Profile button to create a new one.
  6. Enter a Description for the new profile.
  7. Ensure the Enforce SAML Authentication for End User Applications option is selected.
  8. Complete the SAML Configuration for End User Applications section, using the following settings:

    Field / OptionSetting
    ProviderAzure Active Directory
    Metadata URL

    Enter the Federated Data Document from step 8 in the "Configuring / Creating an Azure AD Application" section above and click on the Import button.

    Azure AD typically hosts more than one Identity Provider Certificate. In this situation you're presented with a screen allowing you to select which certificate to use. Select the certificate with the latest Expire On date. The Issuer URL, Login URL, and Identity Provider Certificate Metadata is automatically added to your Authentication Profile.
    Monitor Metadata URL

    This requires a valid Metadata URL, and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.

    Whilst selecting this option isn't necessary in order to properly configure Azure SAML, it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
    Logout URLDon't specify a value. Mimecast only supports basic URL redirect logout methods. Azure AD is known to require a more advanced method that is not currently supported.
    Allow Single Sign OnSelect this option.
    Use Password Protected ContextDeselect these options.
    Use Integrated Authentication Context

 

Optionally Define Permitted IP Ranges

 

To add an additional layer of security, Mimecast provides optional permitted IP range settings for the Administration Console, end user applications, and gateway authentication attempts.

 

To configure permitted IP ranges for the Administration Console:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Account | Account Settings menu item
  4. Expand the User Access and Permissions section.
  5. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  6. Select Save to apply the new settings.

 

To configure permitted IP ranges for end user applications:

  1. Select the Permitted Application Login IP Ranges option.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one per line.
  3. Select Save and Exit to apply the new settings.

 

To configure permitted IP ranges for gateway authentication using SMTP or POP:

  1. Select the Permitted Gateway Login IP Ranges option.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An authentication profile is applied to a group of users, but a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile. See the Authentication Options space for information on other authentication methods.

 

Applying the Authentication Profile to an Application Setting

 

Once your authentication profile is complete, you must reference it in an application setting for it to be applied. To do this:

  1. Application_Settings_select_Authentication_Profile.pngLog on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Application Setting that you want to use via the Lookup button.
  5. Select Save and Exit to apply the change.

 

Testing Your Configuration

 

To test your configuration and verify that your Authentication Profile has been configured correctly:

 

To test in Mimecast for Outlook:

  1. Open Microsoft Outlook.
  2. Click on the Account Settings icon from the Mimecast ribbon.
  3. Click on the Single Sign-On button.
  4. Click on the Login button. You're directed to the Microsoft Azure Login URL.
  5. Once successfully authenticated return to the Account Options page and see that the status is "Validated".

 

To test in Mimecast Mobile or Mimecast for Mac:

  1. Open the application.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated to Azure, you'll be granted access to Mimecast.

 

To test in Mimecast Partner Portal:

  1. Go to the Mimecast Partner Portal logon page.
  2. Enter your Email Address.
  3. Click on the Next button. You'll be redirected to your Identity Provider login URL. Once authenticated to Azure, you'll be granted access to Mimecast.

Attachments

    Outcomes