Mimecast Administration Console SAML Single Sign-On (SSO)

With CyberArk as your identity service, you can choose single-sign-on (SSO) access to the Mimecast Administration Console web application with IdP-initiated SAML SSO (for SSO access through the CyberArk Identity User Portal) or SP-initiated SAML SSO (for SSO access directly through the Mimecast Administration Console web application) or both. Providing both methods gives you and your users maximum flexibility.

If Mimecast Administration Console is the first application you are configuring for SSO through CyberArk Identity, read these topics before you get started:

Mimecast Administration Console SSO Requirements

Before you can configure Mimecast Administration Console for SSO, you need the following:

  • An active Mimecast Administration Console account for your organization.
  • A user account that can log in to the Mimecast Administration Console.
  • A two-letter Mimecast Region Code for your Mimecast account.
If you need assistance finding your region code, contact Mimecast.
  • A signed certificate.
  • You can either download one from the Admin Portal or use your organization’s trusted certificate.

Add Mimecast Administration Console in the Admin Portal

To add the Mimecast Administration Console application in the Admin Portal

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. On the Search tab, enter Mimecast Administration in the Search field and click the search icon.

  3. Next to Mimecast Administration, click Add.

  4. In the Add Web App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The Mimecast Administration application opens to the Settings page.

Configure Mimecast Administration Console for single sign-on

The following steps are specific to the Mimecast Administration Console application and are required in order to enable SSO for Mimecast Administration Console. For information on optional configuration settings available in the Idaptive the Admin Portal, see Configure optional application settings.

To configure Mimecast Administration Console for SSO

  1. In your web browser, go to the following URL and sign in as Admin:

    https://<your_subdomain>.mimecast.com/mimecast/admin
    It is helpful to open the Mimecast Administration Console web application and the Admin Portal Application Settings window simultaneously to copy and paste settings between the two browser windows.
  2. Go to Administration > Services > Applications > Authentication Profiles.
  3. Edit an existing authentication profile or create a new profile.
  4. Select the check box for Enforce SAML Authentication for Mimecast Administration Console.
  5. Configure the following settings (in the Mimecast Administration Console web application and the Admin Portal Trust page).

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Mimecast Administration Console website and paste it into the corresponding field in the CyberArk Identity the Admin Portal.

    Admin Portal >Trust

    Copy/Paste

    Direction

    SAML Configuration for Mimecast Administration Console

    What you do

    Your Mimecast Region Code

    N/A

     

    Enter the region code provided by Mimecast.

    Your Mimecast Account Code

    Account Code

    1. In Mimecast Administration Console, click on your name at top-right corner.

    2. Go to Account and Support Details.

    3. Copy the Account Code and paste it in the CyberArk Identity the Admin Portal.

     

    N/A

    Provider

    Select CyberArk.

    (Identity Provider) Metadata URL

    Metadata URL

    1. Copy the URL in the CyberArk Identity the Admin Portal and paste it here.

    2. Click the Import button next to the Metadata URL field.

     

    N/A

    Monitor Metadata URL

    (Optional) Select this option to enable automatic periodic monitoring and updating of IdP Metadata by Mimecast.

    Issuer URL

     

    This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Admin Portal and paste here.

     

    N/A

    Identity Mapping

    The default value is EMAIL.

    Note: If you change this to any other value, you must also configure Account Mapping in CyberArk Identity to map users properly.

    Login URL

    Login URL

    This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Admin Portal and paste here.

    Logout URL

    Logout URL

    This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Admin Portal and paste here.

    Download Signing Certificate

     

    Identity Provider Certificate (Metadata)

    This field should be automatically populated when you import the Metadata URL. If you need to enter it manually:

    1. Click Download for the Signing Certificate on the Application Settings page in the Admin Portal.

    2. Open the file in a text editor.

    3. Copy only the part of the file between:
    BEGIN CERTIFICATE----- and
    -----END CERTIFICATE-----
    .

    4. Paste it in Identity Provider Certificate (Metadata).

     

    N/A

    Allow Single Sign On

    (Optional) Select this check box if you want to use IdP-initiated SSO.

     

    N/A

    Use Password Protected Context

    Select this check box.

     

    N/A

    Use Integrated Authentication Context

    If your CyberArk Identity tenant uses Integrated Windows Authentication (IWA), select this check box.

  6. Click Save.
  7. In the browser window you have open to the Mimecast Administration Console web application, go to Administration > Services > Applications.
  8. Select the application you want to configure for SAML.
  9. Click the Lookup button next to the Authentication Profile field.
  10. Click Select next to the authentication profile that you just configured for SAML.
  11. Click Save and Exit to apply the change.

For more information about Mimecast Administration Console

For additional information see the following:

Mimecast Administration Console Specifications

Each SAML application is different. The following table lists features and functionality specific to Mimecast Administration Console.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

Mimecast has a mobile app named Mimecast Mobile, but it is not the same thing as the Mimecast Administration Console.

SAML 2.0

Yes

 

SP-initiated SSO

Yes

 

IdP-initiated SSO

Yes

To enable IdP-initiated SSO, select the Allow Single Sign On check box.

Force user login via SSO only

Yes

 

Separate administrator login
after SSO is enabled

No

 

User or Administrator lockout risk

Yes

 

Automatic user provisioning

No

 

Multiple User Types

No

 

Self-service password

Yes

 

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.