Usually, when configuring Single Sign-On (SSO) using Microsoft Azure Active Directory (AD) as the identity provider, your UPN and Primary email address must be the same for SSO to work. This guide offers a workaround solution, in the case where your UPN and Primary email address are different, and you're using Azure Premium. It applies to service provider initiated SAML Single Sign-On (SSO) and will work for all of our apps using this type of authentication.
See the Troubleshoot User Name Issues document on the Microsoft website for further information.
Applies To...
Administrators configuring SSO with a mismatched UPN and Primary email address, using Microsoft Azure Premium.
Configuration applies to the following applications:
- Mimecast Administration Console
- Mimecast Personal Portal
- Mimecast End User Applications
Configuring an Azure AD Application
- Log on to your Microsoft Azure AD application.
- Navigate to the Enterprise applications | Categories | Add an application menu item.
- Click on Non-Gallery Application.
- Enter a name for the application, e.g "Mimecast End User Application", and click Add.
- Select SAML-based Sign-on from the Single Sign-on Mode drop down.
- In the Identifier field, enter the value for your region from the table below. The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.
Region Value Note Europe https://eu-api.mimecast.com/sso/ACCOUNTCODE Where ACCOUNTCODE is, enter your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console. This should be capitalized, e.g. "CUSA1A1". United States https://us-api.mimecast.com/sso/ACCOUNTCODE South Africa https://za-api.mimecast.com/sso/ACCOUNTCODE Australia https://au-api.mimecast.com/sso/ACCOUNTCODE Offshore - In the Reply URL field, enter the value from your region from the table below.
Region Value Europe https://eu-api.mimecast.com/login/saml United States https://us-api.mimecast.com/login/saml South Africa https://za-api.mimecast.com/login/saml Australia https://au-api.mimecast.com/login/saml Offshore https://jer-api.mimecast.com/login/saml - In the User Identifier drop down menu, select user.mail. This ensures that the Name ID sent to Mimecast in the SAML response is your user's primary email address, which is how they need to log in to Mimecast.
- Copy the federation metadata URL to the clipboard by clicking the button to the right of the App Federation Metadata URL:
You'll need to assign users / groups to access the app, unlike the normal configuration of Azure SSO. To do so:
- Navigate to the Enterprise Applications | All Applications | Users and groups menu item.
- Click on + Add user.
- Use the Search field to search and select user/s or group/s to give access to the app. The added users display.
Configuring SAML Settings
- Log on to the Administration Console.
- Navigate to the Administration | Services | Applications menu item.
- Click on Authentication Profiles.
- Select an existing Authentication Profile to update, or click on the New Authentication Profile button to create a new one.
- Enter a Description for the profile.
- Select Enforce SAML Authentication for the application/s you want to enable SSO for:
- Administration Console
- Mimecast Personal Portal
- End User Applications
- Complete the SAML Settings section as follows:
Field / Option Value Provider Select "Azure Active Directory" from the drop down list. Metadata URL Paste the App Federation Metadata URL copied to the clipboard in step 9, and click on the Import button. Monitor Metadata URL Tick this option to ensure Mimecast replicates any future certificate changes/renewals. Issuer URL This value will be populated automatically once the federation metadata is imported. Login URL This value will be populated automatically once the federation metadata is imported. Identity Provider Certificate (Metadata) This value will be populated automatically once the federation metadata is imported. Logout URL This value will be populated automatically once the federation metadata is imported. - Your SAML settings should look similar to the below. When you're ready, click the Save button to complete configuration.We recommend you leave both the "Use Password Protected Context" and "Use Integrated Authentication Context" options unchecked, as this will allow the client device to automatically choose the appropriate context itself. A specific context option can be enabled if there is a requirement to always enforce a particular authentication method.
See Also...
- Administration Console: Configuring SSO Using Microsoft Azure AD
- Mimecast Personal Portal: Configuring SSO Using Microsoft Azure AD
- End User Applications: Configuring SSO Using Microsoft Azure AD