Configuring SSO Using Microsoft Azure AD: Miss-Matched UPN to Mail Attribute Troubleshooting

Document created by user.Yo2IBgvWqr Employee on Jan 29, 2018Last modified by user.Yo2IBgvWqr Employee on Apr 10, 2018
Version 8Show Document
  • Comment0
  • View in full screen mode

Usually, when configuring Single Sign-On (SSO) using Microsoft Azure Active Directory (AD) as the identity provider, your UPN and Primary email address must be the same for SSO to work. This guide offers a workaround solution, in the case where your UPN and Primary email address are different, and you're using Azure Premium. It applies to service provider initiated SAML Single Sign-On (SSO) and will work for all of our apps using this type of authentication. 

See the Troubleshoot User Name Issues document on the Microsoft website for further information.

Applies To...


Administrators configuring SSO with a miss-matched UPN and Primary email address, using Microsoft Azure Premium.


Configuration applies to the following applications:

  • Mimecast Administration Console
  • Mimecast Personal Portal
  • Mimecast End User Applications

 

AzureConfiguring an Azure AD Application

 

  1. Log on to your Microsoft Azure AD application.
  2. Navigate to the Enterprise applications | Categories | Add an application menu item.
  3. Click on Non-Gallery Application.
  4. Enter a name for the application, e.g "Mimecast End User Application", and click Add.
  5. Select SAML-based Sign-on from the Single Sign-on Mode drop down.
    SSO Mode
  6. In the Identifier field, enter the value for your region from the table below. The values entered depend on the Mimecast grid where your organization's Mimecast account is hosted.
    RegionValueNote
    Europehttps://eu-api.mimecast.com/sso/ACCOUNTCODE Where ACCOUNTCODE is, enter your unique Mimecast account code as specified in the Administration | Account | Account Settings page of the Administration Console. This should be capitalized, e.g. "CUSA1A1".
    United Stateshttps://us-api.mimecast.com/sso/ACCOUNTCODE 
    South Africahttps://za-api.mimecast.com/sso/ACCOUNTCODE 
    Australiahttps://au-api.mimecast.com/sso/ACCOUNTCODE 
    Offshore

    https://jer-api.mimecast.com/sso/ACCOUNTCODE 

  7. In the Reply URL field, enter the value from your region from the table below.
    RegionValue
    Europehttps://eu-api.mimecast.com/login/saml 
    United Stateshttps://us-api.mimecast.com/login/saml 
    South Africahttps://za-api.mimecast.com/login/saml 
    Australiahttps://au-api.mimecast.com/login/saml 
    Offshorehttps://jer-api.mimecast.com/login/saml 
  8. In the User Identifier drop down menu, select user.mail. This ensures that the Name ID sent to Mimecast in the SAML response is your user's primary email address, which is how they need to log in to Mimecast.
    User Identifier 
  9. On the SAML Signing Certificate page, click on the Metadata XML link and download it.
    Metadata XML
  10. From the Metadata XML download, make note of the following example values. These will be required when configuring SAML settings in the administration console:
    1. Entity ID-
      "https://sts.windows.net/5cd8f006-c6e6-5721-afb1-d4bd69b60c47/
    2. Certificate-<X509Certificate>MIIC3DCCAcSgAwIBAgIQHqAkDy1L14lAkASjg4AlrzANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLm15c2RsYWIuY29tMB4XDTE3MTEwMzE5NDExOVoXDTE4MTEwMzE5NDExOVowKjEoMCYGA1UEAxMfQURGUyBTaWduaW5nIC0gYWRmcy5teXNkbGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1Xbr+Xv/ZEVf07waq2Tj/hZVgH2ZzJM8SbJtz/YiUzIviKDUQup2Pv7NZRCArtexZ0wC9aWSDZhCo4ehxs2GrkUlxIJyhxVxyFDwcJXO5C9aCg0cPY48qO0ghM5k9xfxTOMIZ/CuLR+08+DK5vVdt6VtWure/79EJZLgbQQGeHdyWLOIpxFHNgWVucrEUnL3901xvcedtvszXnnY9ycw7U57hlsHU19NP2lU4jubNa+7V3JxWE0VVQmwAPmSucubfjRnzxqwD/xCL93vD2T9dbYERHX5VLy9oZMV5ykWhwXj+mAHjLpXEco9pLdJx1YUAEa81UBhMs4LYLi1kT6e8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAyfbmnuVGnOtUyH+Jhz8jSYuQ78XHt/ibha0qUDC0WFlvJOt2ZDdoCeqmLkXN1nWnlqfYByOk+PQZiEbXvx9wxMtIIHEbkXHA3wY3lN6y7ZwQWudGWwPHkCl5wcm2E9brN1mtvGklYEscXSeYtNcHVZKrHwSr99cl9qtrOzSwprs17QDLqgG+ohWPDvHlOrlJmBJ5ORl8tCZrtFfsS7j94fm+FkVnlkpT+K69DNku8DhRtzvRaNfOCsdw+9zA3D0lSDIhayNJbVXRWnLb+TDqImDVxhDRL8pG4hn7zEoC3y6FwOCx+sNkl07OAP59sbhD+oc0vJ8SU3S3rDK31b3rxA==</X509Certificate> 
    3. Single Sign On service location-
      "https://login.microsoftonline.com/5cd8f006-c6e6-5721-afb1-d4bd69b60c47/saml2"
  11. User IdentifierYou'll need to assign users / groups to access the app, unlike the normal configuration of Azure SSO. To do so:
    1. Navigate to the Enterprise Applications | All Applications | Users and groups menu item.
    2. Click on + Add user.
    3. Use the Search field to search and select user/s or group/s to give access to the app. The added users display.

 

Configuring SAML Settings

 

  1. Log on to the Administration Console.
  2. Navigate to the Administration | Services | Applications menu item. 
  3. Click on Authentication Profiles.
  4. Select an existing Authentication Profile to update, or click on the New Authentication Profile button to create a new one.
  5. Enter a Description for the profile.
  6. Select Enforce SAML Authentication for the application/s you want to enable SSO for:
    • Administration Console
    • Mimecast Personal Portal
    • End User Applications
  7. Complete the SAML Settings section as follows:
    Field / OptionValue
    ProviderSelect "Azure Active Directory" from the drop down list.
    Metadata URLSpecify the "Federation Metadata Document" value from the App registrations | Endpoints menu item in Azure Active Directory, and click on the Import button.
    Monitor Metadata URLLeave this field blank.
    Issuer URLEnter the "Entity ID" value, as per the example shown in step 10a in the Metadata XML download section above, e.g. "https://sts.windows.net/5cd8f006-c6e6-5721-afb1-d4bd69b60c47/".
    Login URLEnter "Single Sign On service location" value, as per the example shown in step 10c in the Metadata XML download section above, e.g. "https://login.microsoftonline.com/5cd8f006-c6e6-5721-afb1-d4bd69b60c47/saml2".
    Identity Provider Certificate (Metadata)Enter the "Certificate" value from the Metadata XML file, excluding "</X509Certificate>" and "<X509Certificate>", as per the example in step 10b in the "Configuring an Azure AD Application" section above.
    Logout URLLeave blank. We only support basic URL redirect logout methods. Azure AD requires a more advanced method that we do not currently support.
     
  8. Your SAML settings should look similar to the below. When you're ready, click the Save button to complete configuration.
    SAML Settings

 

See Also...

 

 

 

 

Attachments

    Outcomes