Mimecast Personal Portal SAML Single Sign-On (SSO)

With CyberArk as your identity service, you can choose single-sign-on (SSO) access to the Mimecast Personal Portal web application with IdP-initiated SAML SSO (for SSO access through the Identity User Portal) or SP-initiated SAML SSO (for SSO access directly through the Mimecast Personal Portal web application) or both. Providing both methods gives you and your users maximum flexibility.

If Mimecast Personal Portal is the first application you are configuring for SSO through CyberArk Identity, read these topics before you get started:

• Introduction to application management.
• Configure Single Sign-On (SSO).

Mimecast Personal Portal SSO Requirements

Before you can configure Mimecast Personal Portal for SSO, you need the following:

• An active Mimecast Administration Console account for your organization.
• A user account that can log in to the Mimecast Administration Console.

• A two-letter Mimecast Region Code for your Mimecast account.

  If you need assistance finding your region code, contact Mimecast.
• A Mimecast Personal Portal account.
• A signed certificate.
• You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

Configure Mimecast Personal Portal in the Identity Administration portal

To add and configure the Mimecast Personal Portal application in the Identity Administration portal:

1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

   

2. On the Search page, enter the application name in the Search field and click the search button.

3. Next to the application name, click Add.

4. On the Add Web App page, click Yes to confirm.

5. Click Close to exit the Application Catalog.

   The application opens to the Settings page.

Configure Mimecast Personal Portal for single sign-on

The following steps are specific to the Mimecast Personal Portal application and are required in order to enable SSO for Mimecast Personal Portal. For information on optional configuration settings available in the Idaptive the Identity Administration portal, see Configure optional application settings.

To configure Mimecast Personal Portal for SSO

1. In your web browser, go to the Mimecast Administration Console at following URL and sign in as Admin:

   https://<your_subdomain>.mimecast.com/mimecast/admin

   It is helpful to open the Mimecast Administration Console web application and the Identity Administration portal Application Settings window simultaneously to copy and paste settings between the two browser windows.
2. Go to Administration > Services > Applications > Authentication Profiles.
3. Edit an existing authentication profile or create a new profile.
4. Select the check box for Enforce SAML Authentication for Mimecast Personal Portal.

5. Configure the following settings (in the Mimecast Personal Portal web application and the Identity Administration portal Application Settings window).

   The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Mimecast Personal Portal website and paste it into the corresponding field in CyberArk Identity the Identity Administration portal.

   Identity Administration portal >Application Settings	Copy/Paste Direction	SAML Configuration for Mimecast Personal Portal	What you do
   Your Mimecast Region Code	N/A		Enter the region code provided by Mimecast.
   Your Mimecast Account Code		Account Code	1. In Mimecast Administration Console, click on your name at top-right corner. 2. Go to Account and Support Details. 3. Copy the Account Code and paste it in CyberArk IdentityIdentity Administration portal.
   	N/A	Provider	Select CyberArk.
   (Identity Provider) Metadata URL		Metadata URL	1. Copy the URL in CyberArk IdentityIdentity Administration portal and paste it here. 2. Click the Import button next to the Metadata URL field.
   	N/A	Monitor Metadata URL	(Optional) Select this option to enable automatic periodic monitoring and updating of IdP Metadata by Mimecast.
   Issuer URL			This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Identity Administration portal and paste here.
   	N/A	Identity Mapping	The default value is EMAIL. Note: If you change this to any other value, you must also configure Account Mapping in CyberArk Identity to map users properly.
   Login URL		Login URL	This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Identity Administration portal and paste here.
   Logout URL		Logout URL	This field should be automatically populated when you import the Metadata URL. If you need to enter it manually, you can copy from the Application Settings page in the Identity Administration portal and paste here.
   Download Signing Certificate		Identity Provider Certificate (Metadata)	This field should be automatically populated when you import the Metadata URL. If you need to enter it manually: 1. Click Download for the Signing Certificate on the Application Settings page in the Identity Administration portal. 2. Open the file in a text editor. 3. Copy only the part of the file between: BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. 4. Paste it in Identity Provider Certificate (Metadata).
   	N/A	Allow Single Sign On	(Optional) Select this check box if you want to use IdP-initiated SSO.
   	N/A	Use Password Protected Context	Select this check box.
   	N/A	Use Integrated Authentication Context	If your CyberArk Identity tenant uses Integrated Windows Authentication (IWA), select this check box.

6. Click Save.
7. In the browser window you have open to the Mimecast Administration Console web application, go to Administration > Services > Applications.
8. Select the application you want to configure for SAML.
9. Click the Lookup button next to the Authentication Profile field.
10. Click Select next to the authentication profile that you just configured for SAML.
11. Click Save and Exit to apply the change.

For more information about Mimecast Personal Portal

For additional information see the following:

• Configuring Single Sign-On for Mimecast Personal Portal v3 using a 3rd Party Identity Provider: https://community.mimecast.com/docs/DOC-1852
• Mimecast Gateway - MX Records: https://community.mimecast.com/docs/DOC-1151#jive_content_id_MX_Records
• Managing Profile Groups: https://community.mimecast.com/docs/DOC-1289
• Identity Provider (IdP) Single Sign-On: https://community.mimecast.com/docs/DOC-1177

Mimecast Personal Portal Specifications

Each SAML application is different. The following table lists features and functionality specific to Mimecast Personal Portal.

Capability	Supported?	Support details
Web browser client	Yes
Mobile client	No	Mimecast has a mobile app named Mimecast Mobile, but it is not the same thing as the Mimecast Personal Portal.
SAML 2.0	Yes
SP-initiated SSO	Yes
IdP-initiated SSO	Yes	To enable IdP-initiated SSO, select the Allow Single Sign On check box.
Force user login via SSO only	Yes
Separate administrator login after SSO is enabled	No
User or Administrator lockout risk	Yes
Automatic user provisioning	No
Multiple User Types	No
Self-service password	Yes
Access restriction using a corporate IP range	Yes	You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application.