:orphan: ************************* Mimecast SAML Integration ************************* Introduction ************ This article describes how to configure Mimecast to work with AuthControl Sentry. .. include:: HowToCreateSAMLKeysOnCMI.rst .. include:: CheckPasswordWithRepositoryLocalAgent.rst Setup SSO on Mimecast ********************* To configure SSO setting on your Mimecast accounts you have to access your Admin console by simply going to \https://console-uk-2.mimecast.com/mimecast/admin You should see an Admin console with an option "Services" similar to the one below: .. image:: images/Integration/SAML/Mimecast/Mimecast_admin_console.png When you click on the Services you will be shown different profiles. You have to click on the button "Authentication Profiles" and select the User group for which to use SSO. For this example we are using "Swivel Users". .. image:: images/Integration/SAML/Mimecast/Mimecast_auth_page.png After clicking on the authentication profile you will have to fill in the details for your AuthControl Sentry: * Set the Login, Logout URLs below, where is the public DNS entry of your Swivel AuthControl Sentry server, e.g. "swivel.mycompany.com" or if you do not have a redirect from port 443 to 8443 in place, you may need to include a port number e.g. swivel.mycompany.com:8443 * "Sign-in page URL" - \https:///sentry/saml20endpoint * "Sign-out page URL" - \https:///sentry/singlelogout Now navigate to your AuthControl Sentry metadata page as below(\https:///sentry/metadata/generatedMetadata.xml) and copy the content of this page. .. image:: images/Integration/SAML/Mimecast/Metadata_mime.png Return back to the Mimecast Setup and make the following changes: * "Identity Provider Certificate (Metadata)" - Paste copied metadata from your AuthControl Sentry * "After you have entered all the details as above click Save and Exit at the top of the page" * For more information please have a look at the screenshot below .. image:: images/Integration/SAML/Mimecast/Mimecast_authentication_profile.png Setup AuthControl Sentry Application definition *********************************************** .. note:: You must have setup a Mimecast SSO prior to defining this Application entry within AuthControl Sentry. This is so that you are able to populate the "Endpoint URL" field. Login to the AuthControl Sentry Administration Console. Click "Applications" in the left hand menu. To add a new Application definition for Mimecast, click the Add Application button and select SAML - Mimecast. .. image:: images/Integration/SAML/Mimecast/MimecastApplication.jpg Configure the Application entry as follows: * "Name": Mimecast * "Image": Mimecast.png (selected by default) * "Points": 100 (the number of points the user needs to score from their Authentication Method in order to successfully authenticate to this Application) * "Portal URL": (this Portal URL is Mimecast login URL which you can usually access on: \https://login-uk.mimecast.com/m/portal/login note for different countries it might be a different URL) * "Entity URL": N/A * "Entity ID": eu-api.mimecast.com.ACCOUNT_NUMBER (Entity ID is a eu-api.mimecast.com. with an Account number such: eu-api.mimecast.com.C75A125 - Account Number can be found on the Mimecast Admin Console) * "Federated id": email Setup AuthControl Sentry Authentication definition ************************************************** As an example here we will be using Turing authentication as the Primary method required for Mimecast authentication. Login to the AuthControl Sentry Administration Console. Click Authentication Methods in the left hand menu. Click the Edit button against the Turing option in the list of Authentication Methods. Give this Authentication Method 100 points. This will mean that when a login attempt is made to the Mimecast Application, this Authentication Method will be offered during login. (Please read about AuthControl Sentry Rules and familiarize your self with AuthControl Sentry [[SentryUserGuide|here]] ) Testing authentication to Mimecast ********************************** This should be the final step after all previous elements have been configured. In a web browser, visit the the URL that you setup on AuthControl Sentry as Endpoint URL e.g. \https://login-uk.mimecast.com/logon Alternatively you can visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. \https://mycompanysentrydomain/sentry/startPage On a Start Page you will be able to see a new Mimecast Icon on which you can click and proceed with authentication (as you would by going straight to the mimecast page) .. image:: images/Integration/SAML/SentryStartup1.png When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup. .. image:: images/Integration/SAML/Mimecast/Mimecast_redirect.jpg Once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the Mimecast Application definition. In this login example we are using the email as a username .. image:: images/Integration/SAML/Mimecast/MimecastUsername.jpg After we enter the username we are prompted with another authentication method (in this example we use turing) .. image:: images/Integration/SAML/Mimecast/MimecastTuring.jpg After we enter our authentication credentials we successfully will see the Mimecast account that we tried to access. .. image:: images/Integration/SAML/Mimecast/Mimecast_logged.jpg Troubleshooting *************** There are various logging components available for this particular integration which can aid in diagnosis at different points during authentication. * The Swivel Core has a Log Viewer menu item which can reveal information concerning user status e.g. is the user locked, has a session been started for the image request; * The Swivel AuthControl Sentry has a View Log menu item which provides details about the SAML assertion and response received from Mimecast It is crucial when troubleshooting, to pinpoint where the authentication is failing. For example, you may find that the Swivel Core logs show a successful authentication (which would indicate that the user has entered their Password and OTC correctly), but the AuthControl Sentry logging shows that there is a problem with the SAML assertion. Two common issues which can be diagnosed with the validator are: * Certificate or decryption issues; * Can AuthControl Sentry find the Certificate locally, is it the correct one? * Has the correct Metadata been uploaded to the Mimecast? * Does the Repository -> Attribute name being used actually map to a Repository attribute? Has a User Sync occurred in the Swivel Core since modifying this?