Configuring Single Sign-On for Administration Console using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Jun 3, 2016Last modified by user.oxriBaJeN4 Employee on Jun 19, 2017
Version 16Show Document
  • View in full screen mode

This guide explains how to configure Single Sign-On for Administration Console using Microsoft Azure Active Directory (AD) as the Identity Provider.

When using Azure AD, the UPN and primary email address must be the same for SSO to work, as mentioned in the following Microsoft support article:

https://support.microsoft.com/en-us/kb/2392130

Supported Configurations

 

Service Provider Initiated SAML

 

Mimecast supports Service Provider Initiated Single Sign-On only when using Microsoft Azure AD as an Identity Provider. In this model:

  • Administrators will navigate to Administration Console v4 in a web browser.
  • To start the login process administrators must enter their primary email address.
  • The administrator will then be redirected to Microsoft Azure.
  • Depending on the administrator's status, the browser used, and your environment; Microsoft Azure will decide if the administrator is authenticated already or not.
  • If Microsoft Azure decides that the administrator is authenticated the administrator will be redirected back to Administration Console v4 and granted access.
  • If Microsoft Azure decides that the administrator is not authenticated they will need need to login to Microsoft Azure before being redirected back to Administration Console v4 and granted access.

 

Azure My Apps Portal

 

When you create an application in Microsoft Azure AD it is possible for the application to be published to the Azure My Apps portal. After following the steps in this guide the following behavior is supported:

  • Administrators navigate to the Azure My Apps portal and login.
  • Administrators select the Mimecast Administration Console v4 application and are redirected to the Console login page.
  • Administrators must then enter their primary email address and select Next.
  • The administrator's web browser will be redirected back to Microsoft Azure and then immediately redirected back to Administration Console v4 and granted access as they will already be authenticated with Microsoft Azure.

 

Authentication Contexts

 

An Authentication Context is defined as part of the SAML request generated by Mimecast and posted to Microsoft Azure after the administrator enters their primary email address on the Administration Console v4 login page.

 

When integrating with Microsoft Azure Mimecast supports the following contexts:

  • Password Protected or
  • Windows Integrated or
  • None

 

The decision on which context to use depends on how your organization is setup.

 

Organization Setup
Recommended Authentication ContextExpected behavior
Microsoft Azure AD / Office 365 standalonePassword ProtectedRegardless of the web browser used, administrators should be logging in to Microsoft Azure using a combination of their email address and a password.
Microsoft Azure AD / Office 365 federated with an on premises AD FS environmentNone

In this environment administrators will typically be using Internet Explorer on a domain joined computer and expecting to have Windows Integrated authentication take care of access to your organization's applications.

 

We recommend not setting an Authentication Context in this scenario to maintain flexibility for administrators to use different web browsers and devices to access Administration Console v4.

 

Explicitly setting Password Protected in this environment is likely to break administrator's access when using Internet Explorer.

 

Equally, explicitly setting Windows Integrated in this environment is likely to break administrator's access when using other web browsers or devices.

 

Preparing Azure AD

 

Before you can configure the Mimecast settings, an Azure AD application must exist to accept Service Provider Initiated SAML requests from Mimecast. If you've previously done this for another Mimecast application, copy the Metadata URL from the previous setting and use it on the new application. Once completed, import the certificate.

 

If you haven't created an Azure AD application:

  1. Login to the Microsoft Azure management portal.
  2. Select your organization's Active Directory.
  3. Select APPLICATIONS.

    Azure AD Home.png
  4. A list of your organization's applications is displayed.
  5. Select to add an application from the action bar at the bottom of the screen. A wizard is launched.
  6. Select Add an application my organization is developing.

    Azure AD what do you want to do.png
  7. Enter a name for the application (e.g. "Mimecast Administration Console v4") and leave the Web Application and/or web api Type selected. Select to continue.

    Azure AD tell us about your application.png
  8. Complete the App Properties page.

  9. Select the tick icon to complete the configuration.
  10. Select the newly created application from the list of Azure Applications.
  11. Click on the icon.png icon.
  12. Select the Enable Users to sign on link from the Get Started section.
  13. Note the FEDERATION METADATA DOCUMENT URL link. This is used in the next section to configure the Mimecast settings.

 

Add Support for Azure My Apps Portal (Optional)

 

In order for the workflow for the Azure My Apps portal to function as described in the supported configuration section above follow these steps.

  1. While signed in to the Microsoft Azure Management Portal navigate to your Active Directory.
  2. Select Applications.

    Azure AD Home.png
  3. Select the application you have created for Administration Console v4.
  4. Select the CONFIGURE option.

    axure.png
  5. Update the SIGN-ON URL to the Mimecast Administration Console v4 URL for your region.
  6. Select Save.

 

Configuring Mimecast Settings

 

Once Microsoft Azure is set up to support Single Sign-On, you need to configure a Mimecast Authentication profile. This profile is applied to the users that you want to use Single Sign-On with the Applications Settings feature.

 

SAML Settings

 

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu.
  3. Select the Authentication Profiles button.
    Authentication profile
  4. Select an existing Authentication Profile to update or select the New Authentication Profile button to create a new one.
  5. Enter a Description for the new profile.
  6. Select Enforce SAML Authentication for Administration Console.

    Authentication+Profile+ADCON+SAML.png

  7. The screen expands to reveal the SAML Settings:

    Authentication Profile ADCON Expanded Azure.png

  8. Select Azure Active Directory from the Provider drop down list.
  9. Enter the Federation Metadata URL copied at the end of the Preparing Azure AD section and select Import.
    • Mimecast has observed that Azure AD typically hosts more than one Identity Provider Certificate.
    • In this situation you are presented with a screen allowing you to select which certificate you would like to use.
    • Select the certificate with the latest Expire On date.
    • The Issuer URL, Login URL, and Identity Provider Certificate Metadata is automatically added to your Authentication Profile.
  10. Select Monitor Metadata URL. This option requires a valid Metadata URL, and checks that your Authentication Profile contains the current Identity Provider certificate and settings. The feature is designed to prevent unexpected issues when these settings change at the Identity Provider.
    Whilst selecting this option isn't necessary in order to properly configure Azure SAML, it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
  11. Do not specify the Logout URL. Mimecast only supports basic URL redirect logout methods. Azure AD is known to require a more advanced method that is not currently supported.
  12. Choose which Authentication Context to use. See the Authentication Contexts part of the Supported Configurations section in this guide to help you decide which setting to use. You may only select 1 or no contexts here.

 

Optionally Define Permitted IP Ranges

 

To add an additional layer of security Mimecast provides optional Permitted IP Range settings for the Administration Console, End User Applications, and Gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Select the check box to enable Permitted Application Login IP Ranges.
  2. In the Permitted Application Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Select the check box to enable Permitted Gateway Login IP Ranges.
  2. In the Permitted Gateway Login IP Ranges text box enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  3. Select Save and Exit to apply the new settings.

 

Other Options

 

An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently you may want to add additional authentication options to your Authentication Profile. Please see the Authentication Options space for information on other authentication methods.

 

Apply the Authentication Profile to an Application Setting

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting in order for it to be applied. To do this:

  1. Login to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

When using Service Provider Initiated SAML Authentication your administrators must access Administration Console v4 using the regional URL. Due to the differences between each Identity Provider's implementation of SAML, Mimecast does not support this authentication type when using the https://login.mimecast.com global URL.

 

To test your configuration and verify that your Authentication Profile has been configured correctly,

    1. Open a web browser and navigate to the Mimecast Administration Console v4 login page.
    2. Enter your primary email address.
    3. You should be redirected to the Microsoft Azure Login URL specified in the Authentication Profile.
    4. If required, login to Microsoft Azure.
    5. You should then be redirected to Administration Console v4 and granted access.

Attachments

    Outcomes