Configuration Guides

Configuring SAML SSO with Mimecast and PingOne

Learn how to enable Mimecast sign-on from the PingOne console (IdP-initiated sign-on) and direct Mimecast sign-on using PingOne (SP-initiated sign-on).

Before you begin

  • Link PingOne to an identity repository containing the users requiring application access.

  • Populate Mimecast with at least one user to test access.

  • You must have administrative access to PingOne and a Super Admin account for an Enterprise Organization on Mimecast.

Add the Mimecast application to PingOne

  1. In PingOne, go to Connections → Applications and click the + icon.

    Screen capture of PingOne Applications page.
  2. When you’re prompted to select an application type, select WEB APP and then click Configure next to SAML for the chosen connection type.

  3. Enter Mimecast as the application name.

  4. Enter a suitable description.

  5. Optional: Upload an icon.

  6. Click Next.

  7. For Provide App Metadata, select Enter Manually.

  8. In the ACS URL field, enter https://account-hosting-location-api.mimecast.com/login/saml.

  9. Select the Signing Key to use and then click Download Signing Certificate to download as X509 PEM (.crt).

  10. For Entity ID, enter https://account-hosting-location-api.mimecast.com.accountcode.

  11. Leave SLO Endpoint and SLO Response Endpoint blank.

  12. In the Subject NameID Format list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  13. Enter a suitable value for Assertion Validity Duration (in seconds). A value of 300 seconds is typical.

  14. Click Save and Continue.

  15. Mimecast expects an email address to identify a user in the SSO security assertion:

    • If you use an email address to sign on through PingOne, click Save and Close.

    • If you sign on with a username, in the PingOne User Attribute list, select Email Address to map that to the SAML_SUBJECT, then click Save and Close.

  16. Click the toggle to enable the application.

  17. On the Configuration tab of the newly-created Mimecast application, copy and save the IDP Metadata URL value.

    You’ll need this metadata when configuring SAML on Mimecast.

    Screen capture of PingOne Connection Details section.

Add PingOne as identity provider (IdP) in Mimecast

  1. Sign on to Mimecast with an Admin account for your Enterprise Organization.

  2. Go to Administration → Services → Applications.

  3. Select Authentication Profiles.

  4. Select New Authentication Profile.

  5. Enter a Description for the new profiled.

  6. Select Enforce SAML Authentication for Administration Console.

  7. For Provider, select Other.

  8. In the Metadata URL field, enter the URL value that you copied previously.

  9. Go to Administration → Services → Applications.

  10. Click Lookup to find the authentication profile that you created.

  11. Click Save and Exit.

Test the PingOne IdP integration

  1. Go to the PingOne Application Portal and sign on with a user account.

    In the Admin console, go to Dashboard → Environment Properties to find the PingOne Application Portal URL.

  2. Click the Mimecast icon.

    You’re redirected to the Mimecast website and logged in with SSO.

Test the PingOne SP integration

  1. Go to login.mimecast.com, and choose the option to sign on with SSO. Enter your email address only.

  2. In the PingOne sign-on prompt, enter your PingOne username and password.

    Screen capture of PingOne sign-on page.

    You’re redirected back to Mimecast and signed on.