Administration Console: Configuring Single Sign-On Using Microsoft Azure AD

Document created by user.oxriBaJeN4 Employee on Jun 3, 2016Last modified by user.oxriBaJeN4 Employee on Nov 20, 2017
Version 19Show Document
  • View in full screen mode

This guide explains how to configure Single Sign-On (SSO) for the Mimecast Administration Console using Microsoft Azure Active Directory (AD) as the identity provider.

When using Azure AD, the UPN and primary email address must be the same for SSO to work. See the following Microsoft support article for full details: https://support.microsoft.com/en-us/kb/2392130.

Supported Configurations

 

Service Provider Initiated SAML

 

Mimecast supports service provider initiated SSO only when using Microsoft Azure AD as an identity provider. In this model you:

  1. Use the Administration Console in a web browser.
  2. Enter your Primary Email Address.
  3. You're redirected to Microsoft Azure. Depending on the administrator's status, the browser used, and your environment, Microsoft Azure decides if the administrator is already authenticated.
    • If they are authenticated, they are redirected back to Administration Console and granted access.
    • If they aren't authenticated, they must log on to Microsoft Azure before being redirected back to Administration Console and being granted access.

 

Azure My Apps Portal

 

When you create an application in Microsoft Azure AD, it is possible for the application to be published to the Azure My Apps portal. After following the steps in this guide, you can:

  1. Navigate to the Azure My Apps portal and log on.
  2. Select the Mimecast Administration Console application. They are redirected to the log on page.
  3. Enter your Primary Email Address.
  4. Click on the Next button. You are redirected back to Microsoft Azure, and immediately redirected back to the Administration Console. You are granted access because you're already be authenticated with Microsoft Azure.

 

Authentication Contexts

 

An Authentication Context is defined as part of the SAML request generated by us, and posted to Microsoft Azure after you enter your primary email address on the Administration Console login page. When integrating with Microsoft Azure, we support the following contexts:

  • Password Protected
  • Windows Integrated
  • None

 

The decision on which context to use, depends on how your organization is setup.

 

Organization Setup
Recommended Authentication ContextExpected behavior
Microsoft Azure AD / Office 365 StandalonePassword ProtectedRegardless of the web browser used, administrators should log on to Microsoft Azure using a combination of their email address and a password.
Microsoft Azure AD / Office 365 federated with an On-Premises AD FS environmentNoneAdministrators typically use Internet Explorer on a domain joined computer, and expect Windows Integrated authentication to take care of access to your organization's applications. We recommend not setting an Authentication Context in this scenario to maintain flexibility for administrators to use different web browsers and devices to access the Administration Console. Explicitly setting Password Protected in this environment is likely to break administrator's access when using Internet Explorer. Equally explicitly setting Windows Integrated in this environment is likely to break administrator's access when using other web browsers or devices.

 

Configuring / Creating an Azure AD Application

 

Before you can configure the Mimecast settings, an Azure AD application must exist to accept service provider initiated SAML requests from us. If you've previously done this for another Mimecast application:

  1. Copy the Metadata URL from the previous setting and use it on the new application.
  2. Import the certificate.

 

Creating an Azure AD ApplicationIf you haven't created an Azure AD application:

  1. Create an application:
    Refer to the "Create an Azure Active Directory Application" section of the Create Identity for Azure App in Portal page in the Microsoft Azure AD documentation when completing this step.
    1. Enter a Name for the application (e.g. "Mimecast End User Applications")
    2. Select Web App / API from the Application Type option.
    3. Enter https://xx-api.mimecast.com/login/saml in the Sign-On URL field (where xx is your location code. For example, "eu" for Europe, "us" for United States, "za" for South Africa, "au" for Australia, or "jer" for Offshore).
    4. Click on the Create button.
  2. Register the application:
    Refer to the How to Configure Azure Active Directory Authentication for your App Services Application page in the Microsoft Azure AD documentation when completing this step.

    The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.

    1. Set the Home Page URL using the value for your grid from the table below:
    2. Set the App ID URL using the value for your grid from the table below:
      RegionValue
      Europehttps://eu-api.mimecast.com/sso/ACCOUNTCODEWhere ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console.
      United Stateshttps://us-api.mimecast.com/sso/ACCOUNTCODE
      South Africahttps://za-api.mimecast.com/sso/ACCOUNTCODE
      Australiahttps://au-api.mimecast.com/sso/ACCOUNTCODE
      Offshorehttps://jer-api.mimecast.com/sso/ACCOUNTCODE
    3. Make a note of the Federation Metadata Document link. This is used in the next section to configure the Mimecast settings.

 

Configuring Mimecast Settings

 

Once Microsoft Azure is set up to support SSO, you must configure an Configuring an Authentication Profile in the Mimecast Administration Console. This profile is applied to the users you want to use SSO with the Applications Settings functionality.

 

Authentication profileConfiguring SAML Settings

 

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Select the Authentication Profiles button.
  5. Select an existing Authentication Profile to update or select the New Authentication Profile button to create a new one.
  6. Enter a Description for the profile.
  7. Select the Enforce SAML Authentication for Administration Console option.
  8. Complete the SAML Settings section as follows:
    Field / OptionValue
    ProviderSelect "Azure Active Directory" in the drop down list.
    Metadata URLSpecify the "Federation Metadata Document" value from step 2c of the "Configuring / Creating an Azure AD Application" task above, and click on the "Import" button.
    If Azure AD hosts more than one identity provider certificate, a list of them is displayed. Select the certificate with the latest "Expiry On" date.
    Issuer URLThese fields are automatically completed when the "Federation Metadata Document" has been imported.
    Login URL
    Identity Provider Certificate (Metadata)
    Monitor Metadata URLSpecify a valid metadata URL. We check that your Authentication Profile contains the current Identity Provider certificate and settings. This prevents unexpected issues when these settings change at the identity provider.
    Selecting this option isn't necessary in order to configure Azure SAML, but it greatly increases the chances of success. If not selected, it is necessary to correctly select a certificate presented by Microsoft.
    Logout URLLeave blank. We only support basic URL redirect logout methods. Azure AD requires a more advanced method that we do not currently support.
  9. Select which Authentication Context to use. See the Authentication Contexts section above to help you decide which settings to use.Only one context can be selected.
  10. Click on the Save and Exit button.

 

Defining Permitted IP Ranges

 

To add an additional layer of security, we provide optional permitted IP range settings for the administration console, end user applications, and gateway authentication attempts.

 

To configure permitted IP ranges for the administration console:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Account | Account Settings menu item.
  4. Expand the User Access and Permissions section.
  5. Specify the public IP address ranges you want to restrict access in the Admin IP Ranges option. Specify them in CIDR format, one range per line.
  6. Click on the Save and Exit button.

 

To configure permitted IP ranges for end user applications:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Either click on the:
    • Authentication Profile to be changed.
    • New Authentication Profile button.
  6. Select the Permitted Application Login IP Ranges option.
  7. Specify the public IP address ranges you want to restrict access to in the Application Login IP Ranges field. Specify them in CIDR format, one range per line.
  8. Click on the Save and Exit button.

 

To configure permitted IP ranges for gateway authentication using SMTP or POP:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Either click on the:
    • Authentication Profile to be changed.
    • New Authentication Profile button.
  6. Select the Permitted Gateway Login IP Ranges option.
  7. Specify the public IP address ranges you want to restrict access to in the Gateway Login IP Ranges field. Specify them in CIDR format, one range per line.
  8. Click on the Save and Exit button.

 

Applying an Authentication Profile to an Application Setting

 

An authentication profile is applied to a group of users, and a user can only have one effective profile at any given time. Consequently you may want to add additional authentication options to your authentication profile. See the Authentication Options page for further information on other authentication methods. Once your authentication profile is complete, you need to reference it in an Application Setting. To do this:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item
  4. Either click on the:
    • Application Setting that you want to use.
    • New Application Settings button.
  5. Expand the Common Application Settings section.
  6. Click on the "Lookup" button next to the Authentication Profile field to select the required Authentication Profile.
    Application_Settings_select_Authentication_Profile.png
  7. Select Save and Exit button.

 

Testing Your Configuration

When using Service Provider Initiated SAML Authentication, administrators must access the Administration Console using the regional URL. Due to the differences between each Identity Provider's implementation of SAML, We do not support this authentication type when using the global URL (https://login.mimecast.com).

To test your configuration and verify your authentication profile is correctly configured:

  1. Open your Browser.
  2. Go to the Mimecast Administration Console log on page.
  3. Enter your Primary Email Address. You should be redirected to the Microsoft Azure Login URL specified in your authentication profile.
  4. If required, log on to Microsoft Azure. You should be redirected to the Administration Console and granted access.

Attachments

    Outcomes