Configure SAML single sign-on with Azure Active Directory

This page applies to legacy accounts. Learn more

Currently, SAML is only supported for sign-on and access to Deep Security as a Service https://app.deepsecurity.trendmicro.com/ and not Trend Micro Cloud One https://cloudone.trendmicro.com/.

Currently, Deep Security as a Service supports only the HTTP POST binding of the SAML 2.0 identity provider (IdP)-initiated login flow, and not the service provider (SP)-initiated login flow.

For a detailed explanation of how Deep Security as a Service implements the SAML standard, see About SAML single sign-on (SSO). For instructions on configuring it with other identity providers, see Configure SAML single sign-on.

Who is involved in this process?

Typically, there are two people required to configure Deep Security as a Service to use Azure Active Directory for SAML single sign-on (SSO): a Deep Security as a Service administrator and an Azure Active Directory administrator.

The Deep Security as a Service administrator must be assigned a Deep Security as a Service role with the SAML Identity Providers right set to either Full or to Custom with Can Create New SAML Identity Providers enabled.

These are the steps required to set up SAML single sign-on with Deep Security as a Service using Azure Active Directory, and the person who performs each step:

Step Performed by
Download the Deep Security as a Service service provider SAML metadata document. Deep Security as a Service administrator
Configure Azure Active Directory Azure Active Directory administrator
Configure SAML in Deep Security as a Service Deep Security as a Service administrator
Define a role in Azure Active Directory Azure Active Directory administrator

Download the Deep Security as a Service service provider SAML metadata document

In the Deep Security as a Service console, go to Administration > User Management > Identity Providers > SAML and click Download. The file is downloaded as ServiceProviderMetadata.xml. Send the file to your Azure Active Directory administrator.

Configure Azure Active Directory

The steps in this section are performed by an Azure Active Directory administrator.

Refer to Configure single sign-on to non-gallery applications in Azure Active Directory for details on how to perform the steps below.

  1. In the Azure Active Directory portal, add a new non-gallery application.
  2. Configure single sign-on for the application. We recommend that you upload the metadata file, ServiceProviderMetadata.xml, that was downloaded from Deep Security as a Service. Alternatively, you can enter a reply URL (the Deep Security as a Service URL + /saml).
  3. Configure SAML claims. Deep Security as a Service requires these two:

    • https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName This is a unique user ID that will be the username in Deep Security as a Service. For example, you could use the User Principal Name (UPN).

    • https://deepsecurity.trendmicro.com/SAML/Attributes/Role The format is “IDP URN,Role URN”. The IDP has not been created in Deep Security as a Service yet, so you can configure this SAML claim later, in Define a role in Azure Active Directory.

    You can also configure other optional claims, as described in SAML claims structure.

    Setup Single Sign-On with SAML - Preview

  4. Download the Federation Metadata XML file and send it to the Deep Security as a Service administrator.

If there are multiple roles defined in Deep Security as a Service, repeat these steps to create a separate application for each role.

Configure SAML in Deep Security as a Service

Sections below detail configuring SAML in Deep Security as a Service

Import the Azure Active Directory metadata document

  1. In Deep Security as a Service, go to Administration > User Management > Identity Providers > SAML.
  2. Click Get Started or New.
  3. Click Choose File, select the Federation Metadata XML file that was downloaded from Azure Active Directory and click Next.
  4. Enter a Name for the identity provider, and then click Finish. You will be brought to the Roles page.

Create Deep Security as a Service roles for SAML users

Make sure the Administration > User Management > Roles page in Deep Security as a Service contains appropriate roles for your organization. Users should be assigned a role that limits their activities to only those necessary for the completion of their duties. For information on how to create roles, see Define roles for users. Each Deep Security as a Service role requires a corresponding Azure Active Directory application.

Get URNs

Your Azure Active Directory administrator will require identity provider URNs and role URNS (URN(s) for the Deep Security as a Service for role(s) to associate with the Azure Active Directory application). The required information for both can be found in the Deep Security as a Service console.

  • To view identity provider URNs, go to Administration > User Management > Identity Providers > SAML > Identity Providers and check the URN column.
  • To view role URNs, go to Administration > User Management > Roles and check the URN column.

If you have multiple roles, you will need the URN for each role, because each one requires a separate Azure Active application.

Define a role in Azure Active Directory

The steps in this section must be performed by an Azure Active Directory administrator.

In Azure Active Directory, use the identity provider URN and role URN identified in the previous section to define the "role" attribute in the Azure application. This must be in the format “IDP URN,Role URN”. See "Deep Security as a Service user role (required)" in the SAML claims structure section.

Use the Validate button in Azure Active Directory to test the setup, or assign the new application to a user and test that it works.

Service and identity provider settings

You can set how far in advance Deep Security as a Service will alert you to the expiry date of the server and identity provider certificates, as well as how much time must pass before inactive user accounts added through SAML single sign-on are automatically deleted.

To change these settings, go to Administration > System Settings > Security > Identity Providers.

SAML claims structure

The following SAML claims are supported by Deep Security as a Service:

Deep Security as a Service username (required)

The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName and a single AttributeValue element. Deep Security as a Service will use the AttributeValue as the Deep Security as a Service username.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName">
        <AttributeValue>alice</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response> 

Deep Security as a Service user role (required)

The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/Role and between one and ten AttributeValue elements. Deep Security as a Service uses the attribute value(s) to determine the tenant, identity provider, and role of the user. A single assertion may contain roles from multiple tenants.

Sample SAML data (abbreviated):

The line break in the AttributeValue element is present for readability; in the claim it must be on a single line.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/Role">
        <AttributeValue>urn:tmds:identity:[pod ID]:[tenant ID]:saml-provider/[IDP name],
            urn:tmds:identity:[pod ID]:[tenant ID]:role/[role name]</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Maximum session duration (optional)

If the claim has a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration and an integer-valued AttributeValue element, the session will automatically terminate when that amount of time (in seconds) has elapsed.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration">
        <AttributeValue>28800</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Preferred language (optional)

If the claim has a SAML assertion that contains an Attribute element with the Name attribute of https://deepsecurity.trendmicro.com/SAML/attributes/PreferredLanguage and a string-valued AttributeValue element that is equal to one of the supported languages, Deep Security as a Service will use the value to set the user's preferred language.

The following languages are supported:

  • en-US (US English)
  • ja-JP (Japanese)
  • zh-CN (Simplified Chinese)

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/PreferredLanguage">
        <AttributeValue>en-US</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>