Administration Console: Configuring SSO Using ADFS

Document created by user.oxriBaJeN4 Employee on Jun 3, 2016Last modified by user.oxriBaJeN4 Employee on Jul 18, 2019
Version 30Show Document
  • View in full screen mode

This guide explains how to configure Single Sign-On for the Administration Console using Active Directory Federation Services (AD FS) as an Identity provider. 

The following AD FS versions are supported:

 

VersionHost Operating System
4.0Windows Server 2016
3.0Windows Server 2012 R2
2.1Windows Server 2012
2.0Windows Server 2008 R2

 

Configuring AD FS

 

Creating a Relying Party Trust

 

To create a relying party trust:

  1. On your AD FS server, open the AD FS Management Console.
  2. Expand the Trust Relationships node.
  3. Select Relying Party Trusts.
  4. Select Add Relying Party Trust... from the Actions pane on the right side of the AD FS management console. The Select Data Source dialog is displayed.
  5. Select the Enter Data About the Relying Party Manually option and click on the Next button. The Specify Display Name dialog is displayed.
  6. Enter a display name (e.g. "Mimecast Administration Console").
  7. Click on the Next button. The Choose Profile Dialog is displayed.
  8. Leave the default AD FS Profile selected.
  9. Click on the Next button. The Configure Certificate dialog is displayed.
  10. Leave the Configure a Certificate dialog unchanged.
  11. Click on the Next button. The Configure URL dialog is displayed.
  12. Leave the Configure URL dialog unchanged.
  13. Click on the Next button. The Configure Identifiers dialog is displayed.
  14. Enter a Relying Party Trust Identifier. Use the value for the region where your Mimecast account is hosted from the table below:
    While AD FS suggests adding "https://" before the Relying Party Trust Identifier value, Mimecast requires this to be left off. Ensure you enter the appropriate value into your Relying Party Trust Identifier field as displayed below.
    RegionValue
    Europe (Excluding Germany)eu-api.mimecast.com.ACCOUNTCODEWhere ACCOUNTCODE is your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console.
    Germanyde-api.mimecast.com.ACCOUNTCODE
    United Statesus-api.mimecast.com.ACCOUNTCODE
    South Africaza-api.mimecast.com.ACCOUNTCODE
    Australiaau-api.mimecast.com.ACCOUNTCODE
    Offshorejer-api.mimecast.com.ACCOUNTCODE

    We recommend creating three relying party trusts, each with a different trusted URL endpoint. For example, it may prove beneficial to include https://www.mimecast.com/saml.

  15. Permit all users to access the relying party trust.
  16. Click on the Next button.
  17. Complete the wizard by clicking on the Next and Finish buttons.
  18. adfs_endpoints.pngRight click on the new created trust.
  19. Select the Properties menu item.
  20. Select the Endpoints tab.
  21. Click on the Add button.
  22. In the Add an Endpoint dialog configure the settings to support Identity Provider Initiated authentication, to allow users to access the Mimecast Administration Console from your AD FS portal:
    1. Select SAML Assertion Consumer as the endpoint type.
    2. Select POST as the binding.
    3. Select to Set the Trusted URL as Default.
    4. Leave the index set to 0.
    5. Enter the Trusted URL. Use the value for the region where your Mimecast account is hosted from the table below:
    6. Click on the OK button.
  23. In the Add an Endpoint dialog configure the settings to support Service Provider Initiated authentication, to allow users to access the Mimecast Administration Console by entering their email address into the console's logon page:
    1. Select SAML Assertion Consumer as the endpoint type.
    2. Select POST as the binding.
    3. Do not select the Set the Trusted URL as Default option.
    4. Set the index to 1.
    5. Enter the Trusted URL. Use the value for the region that your Mimecast account is hosted from the table below:
    6. Click on the OK button.
  24. Click on the OK button to complete the configuration.

 

Edit Claims Rules

 

To edit the claim rules:

  1. From the Trust Relationships | Relying Party Trusts node, select the previously created Relying Party Trust.
  2. Select Edit Claims Rules... from the Actions pane to launch the Edit Claims Rules dialog box.
  3. On the Issuance Transform Rules tab, select the Add Rule... button.
  4. Leave the default Send LDAP Attributes as Claims selected and select Next.
  5. Enter a name for the Claim Rule, for example, Email Address as Name ID.
  6. Select Active Directory as your Attribute store.
  7. Add the following rule as displayed in the table below:
    LDAP AttributeOutgoing Claim Type
    E-Mail-AddressesName ID
  8. Once complete your Claims Rule should look like this:
    Edit Rule Dialog
  9. Select Finish to complete the configuration.

 

Configuring Mimecast Settings

 

Once your AD FS server is configured to support the integration you must Configure an Authentication Profile using the settings below.

 

Field / OptionDescription
DescriptionProvide a description to enable you to easily identify it (e.g. AD FS Single Sign On).
Enforce SAML Authentication for Administration ConsoleSelect this option. Once selected the SAML Settings are displayed.
ProviderSelect "AD FS" from the drop down list.
Metadata URL

Enter the Federation Metadata URL of your AD FS environment. This will always be "http://<server>/FederationMetadata/2007-06/FederationMetadata.xml" (where <server> is the FQDN of your AD FS server).

These automatically completed fields can be entered manually if we are unable to reach the URL. When populating the "Identity Provider Certificate (Metadata)" field, trim the Begin and End tags from the certificate metadata.
Monitor Metadata URLIf selected, this option requires a valid Metadata URL and checks that your Authentication Profile contains the current Identity Provider certificate and settings. This is designed to prevent unexpected issues when these settings change in AD FS.
Checks are made a maximum of once per day, and are initiated when a user logs on. If a user with this Authentication Profile doesn't logon on a given day, the metadata is not checked.
Logout URLDo not select this option. We only support basic URL redirect logout methods. AD FS is known to require a more advanced method that is not currently supported.
Use Passport Protected ContextsOptionally define which authentication context to use. By default, both password protected and integrated contexts are selected by default. These settings define the AuthNContextClass used in the SAML request provided by Mimecast, and sent to your AD FS log on URL. We support the Password Protected Transport and Windows Integrated contexts, or a combination of both.
Use Integrated Authentication Context
Allow Single Sign OnSelect this option to enable single sign on.

 

Defining Permitted IP Ranges

 

To add additional security, we provide optional Permitted IP Range settings for the administration console, end user applications, and gateway authentication attempts.

 

To configure Permitted IP ranges for the Administration Console:

  1. Log on to the Administration Console.
  2. Navigate to the Administration | Account | Account Settings menu.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public I`P address ranges you want to restrict access to in CIDR format, one range per line.

 

To configure Permitted IP Ranges for End User Applications:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Click on the Permitted Application Login IP Ranges option.
  6. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  7. Click on the Save and Exit button.

 

To configure Permitted IP Ranges for Gateway authentication using SMTP or POP:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Click on the Permitted Gateway Login IP Ranges option.
  6. Enter the Public IP Address Ranges you want to restrict access to in CIDR format, one range per line.
  7. Click on the Save and Exit button.

 

Applying the Authentication Profile to an Application Setting

 

An Authentication Profile is applied to a group of users and a user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile. See the Authentication Options space for information on other authentication methods.

 

Once your Authentication Profile is complete, you need to reference it in an Application Setting so it can be applied. To do this:

  1. Log on to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu
  3. Select the Application Setting that you want to use.
  4. Use the Lookup button to find the Authentication Profile you want to reference and click the Select link on the lookup page.
    Application_Settings_select_Authentication_Profile.png
  5. Select Save and Exit to apply the change.

 

Next Steps

When using Service Provider Initiated SAML Authentication your administrators must access the Administration Console using the regional URL. Due to the differences between each Identity Provider's implementation of SAML, Mimecast does not support this authentication type when using the https://login.mimecast.com global URL.

To test your configuration and verify that your Authentication Profile has been configured correctly:

  1. Open a web browser and navigate to the Mimecast Administration Console login page.
  2. Enter your primary email address.
  3. You should be redirected to your AD FS logon URL specified in the Authentication Profile.
  4. If required, login to your AD FS environment.
  5. You should then be redirected to Administration Console and granted access.

 

To test Identity Provider Initiated Sign On:

  1. Open your AD FS logon page and log in.
  2. From the published applications page select the Mimecast Administration Console application you have created.
  3. You should be redirected to Administration Console and granted access.

Attachments

    Outcomes