Configuring SAML SSO with Mimecast and PingFederate
Learn how to enable Mimecast sign-on from PingFederate (IdP-initiated sign-on) and direct Mimecast sign-on using PingFederate (SP-initiated sign-on).
Before you begin
-
Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
-
Populate Mimecast with at least one user to test access.
-
You must have administrative access to PingFederate.
Create the Mimecast metadata
-
In PingFederate, create a service provider (SP) connection for Mimecast:
-
Configure using Browser SSO profile SAML 2.0.
-
Set Partner’s Entity ID to
your-Mimecast-account-hosting-location-api.mimecast.com.accountcode
. -
Enable the following SAML profiles:
-
IdP-Initiated SSO
-
SP-Initiated SSO
-
-
In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfilment, map the SAML_SUBJECT to your email attribute.
-
In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to
https://your-Mimecast-account-hosting-location-api.mimecast.com/sign on/saml
. -
In Protocol Settings: Allowable SAML Bindings, enable POST.
-
In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.
Note the metadata URL for the newly-created Mimecast SP connection.
-
Add the PingFederate connection to Mimecast
-
Sign on to the Mimecast console as an administrator.
-
Select Administration on the lefthand pane.
-
Click the Services tab.
-
Select Application Settings.
-
Select Authentication Profiles.
-
Click New Authentication Profile.
-
Select the Enforce SAML Authentication for Administration Console option.
The page expands to reveal the SAML Settings.
-
Under Provider, select Other.
-
Enter the Metadata URL for the Mimecast SP Connector in PingFederate.
Test the PingFederate IdP-initiated SSO integration
-
Go to the PingFederate SSO Application Endpoint for the Mimecast SP connection.
-
Authenticate with PingFederate.
You’re redirected to your Mimecast domain.
Test the PingFederate SP-initiated SSO integration
-
Sign on to Mimecast.
-
After you’re redirected to PingFederate, enter your PingFederate username and password.
After successful authentication, you’re redirected back to Mimecast.