Skip to main content

Search

Aware 2.0 - Create an Entra ID Application for AuthO SSO

86657d d8eb80

This article contains information on configuring an Azure App Registration for SSO integration with Mimecast Aware 2.0, including setting redirect URIs, adding scopes, API permissions, and token claims, and assigning users to RBAC roles.

 

  1. Log into portal.azure.com
  2. Navigate to App Registrations.
  3. Start a new App Registration.

 

 

  1. Once the application is added, click Add a Redirect URI.

 

 

  1. Click Add a platform | Web.

 

 

  1. Add callback URL https://wiretap-prod.auth0.com/login/callback to "Redirect URIs" field:

 

 

  1. Click Configure.
  2. Back in Overview, click Add an Application ID URI.

 

 

  1. Click Add a scope and enter value: urn:auth0:wiretap-prod:{ConnectionName} (e.g. urn:auth0:wiretap-prod:WAADSAML). Connection name can be anything you'd like, but ensure that it includes the customer name.

 

 

  1. Click Save and Continue.
  2. Below Scope name, enter user_impersonation.
  •  
    • Who can consent? - Admins and users.
    • Enter Admin consent display name (anything you'd like).
    • Click Add scope.

 

 

  1. In the API permission section, ensure that these are added and have the "Grant admin consent" option checked:

 

 

  1. In the Authentication section, ensure that the "ID Tokens" section is checked:

 

 

  1. Navigate back to Overview and click Managed application.

 

 

  1. Go to Users and Groups, and assign Users and Groups that you want to have access to Mimecast - Aware 2.0.

 

 

  1. Ensure that Users have the "email" parameter filled out. Without this parameter, Mimecast Aware 2.0 application will not be able to insert users into the correct RBAC roles (we use email as lookup, not the user id since authO changes that when transitioning a user from username-password to SSO user). Email property is below Users | User | Properties:

 

 

  1. In the Token configuration section, ensure that you add the following claims for email:

 

 

  1. Go back to App Registration | Your application.
  2. Generate a new secret in Certificates & Secrets.

 

Attention:

The secret value will only be shown once. Ensure that you note it down.

 

 

At this point you are ready to add your SSO connection to Aware 2.0.

It is best practice to first create users within Aware 2.0 and assign them to RBAC roles, and then create an SSO connection.

This is the form in Aware 2.0:

 

 

  • Connection name is the last part of your Application ID URI, e.g., in the screenshot it's "OBTEST1":

 

 

  • Microsoft Entra Domain can be found in Manifest | publisherDomain:

 

 

  • Client ID maps to Overview | Application (client) ID:

 

 

  • Client secret refers to the value we saved in step 15.
  • Identity provider domain is usually the same as Microsoft Entra Domain.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk