Configuring SAML SSO with Mimecast and PingFederate

Page created: 22 Dec 2021 |

Page updated: 23 Sep 2022

| 2 min read

PingFederate Product Single Sign-on (SSO) Capability SAML Standards, specifications, and protocols

Learn how to enable Mimecast sign on from PingFederate (IdP-initiated sign on) and direct Mimecast sign on using PingFederate (SP-initiated sign on).

Configure PingFederate to authenticate against an identity provider (IdP) or datastore containing the users requiring application access.
Populate Mimecast with at least one user to test access.
You must have administrative access to PingFederate.

Create the Mimecast metadata:
1. In PingFederate, create a service provider (SP) connection for Mimecast:
  1. Configure using Browser SSO profile SAML 2.0.
  2. Set Partner’s Entity ID to <your Mimecast account hosting location>-api.mimecast.com.<accountcode>.
  3. Enable the following SAML profiles.
    - IdP-Initiated SSO
    - SP-Initiated SSO
  4. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfilment, map the SAML_SUBJECT to your email attribute.
  5. In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to https://<your Mimecast account hosting location>-api.mimecast.com/sign on/saml.
  6. In Protocol Settings: Allowable SAML Bindings, enable POST.
  7. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.
    Note:
    Note the metadata URL for the newly-created Mimecast SP connection.
Add the PingFederate connection to Mimecast:
1. Sign on to the Mimecast console as an administrator.
2. Select Administration on the lefthand pane.
3. Click the Services tab.
4. Select Application Settings.
5. Select Authentication Profiles.
6. Click New Authentication Profile.
7. Select the Enforce SAML Authentication for Administration Console option.
  
  The page expands to reveal the SAML Settings.
8. Under Provider, select Other.
9. Enter the Metadata URL for the Mimecast SP Connector in PingFederate.
Test the PingFederate IdP-initiated SSO integration:
1. Go to the PingFederate SSO Application Endpoint for the Mimecast SP connection.
2. Authenticate with PingFederate.
  
  You're redirected to your Mimecast domain.
Test the PingFederate SP-initiated SSO integration:
1. Go to https://app.mimecast.com/auth/login.
2. After you’re redirected to PingFederate, enter your PingFederate username and password.
  
  After successful authentication, you’re redirected back to Mimecast.

Configuring SAML SSO with Mimecast and PingFederate - PingFederate

Configuration Guides