Configure SAML single sign-on

This page applies to legacy accounts. Learn more

Currently, SAML is only supported for sign-on and access to Deep Security as a Service https://app.deepsecurity.trendmicro.com/ and not Trend Micro Cloud One https://cloudone.trendmicro.com/.

When you configure Deep Security as a Service to use SAML single sign-on (SSO), users signing in to your organization's portal can seamlessly sign in to Deep Security as a Service without an existing Deep Security as a Service account. SAML single sign-on also makes it possible to implement user authentication access control features such as:

  • Password strength or change enforcement.
  • One-Time Password (OTP).
  • Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

For a more detailed explanation how Deep Security as a Service has implemented the SAML standard, see About SAML single sign-on (SSO). If you are using Azure Active Directory as your identity provider, see Configure SAML single sign-on with Azure Active Directory.

At this time, Deep Security as a Service supports only the HTTP POST binding of the SAML 2.0 identity provider (IdP)-initiated login flow, and not the service provider (SP)-initiated login flow.

To use SAML single sign-on with Deep Security as a Service, you will need to do the following:

  1. Configure pre-set up requirements
  2. Configure SAML in Deep Security as a Service
  3. Provide information to your identity provider administrator
  4. SAML claims structure
  5. Test SAML single sign-on
  6. Service and identity provider settings

Configure pre-setup requirements

  1. Ensure your Deep Security as a Service is functioning properly.
  2. Contact the identity provider administrator to:
  3. Establish a naming convention for mapping directory server groups to Deep Security as a Service roles.
  4. Obtain their identity provider SAML metadata document.
  5. Ask them to add any required user authentication access control features to their policy.

Support is available to assist with the following identity providers that have been tested in Deep Security as a Service with SAML single sign-on:

Configure SAML in Deep Security as a Service

Sections below detail configuring SAML in Deep Security as a Service.

Import your identity provider's SAML metadata document

Your Deep Security as a Service account must have both administrator and "Create SAML identity provider" permissions.

  1. On the Administration page, go to User Management > Identity Providers > SAML.
  2. Click Get Started.
  3. Click Choose File, select the SAML metadata document provided by your identity provider, and click Next.
  4. Enter a Name for the identity provider, and then click Finish.

You will see the Roles page.

Create Deep Security as a Service roles for SAML users

You need to create a role for each of your expected user types. Each role must have a corresponding group in your identity provider's directory server, and match the group's access permissions and tenant assignment.

Your identity provider's SAML integration will have a mechanism to transform group membership into SAML claims. Consult the documentation that came with your identity provider to learn more about claim rules.

For information on how to create roles, see Define roles for users.

Provide information to your identity provider administrator

Sections below detail how to help the identity provider administrator create groups and rules that correspond to your Deep Security as a Service setup.

Download the Deep Security as a Service service provider SAML metadata document

  1. On the Administration page, go to User Management > Identity Providers > SAML.
  2. Under SAML Service Provider, click Download.

Your browser will download the Deep Security as a Service service provider SAML metadata document (ServiceProviderMetadata.xml).

Send URNs and the Deep Security as a Service SAML metadata document to the identity provider administrator

You need to give the identity provider administrator Deep Security as a Service's service provider SAML metadata document, the identity provider URN and the URN of each Deep Security as a Service role you created.

To view role URNs, go to Administration > User Management > Roles and look under the URN column. To view identity provider URNs, go to Administration > User Management > Identity Providers > SAML > Identity Providers and look under the URN column.

Once the identity provider administrator confirms they have created groups corresponding to the Deep Security as a Service roles and any required rules for transforming group membership into SAML claims, you are finished configuring SAML single sign-on.

If necessary, you can inform the identity provider administrator about the SAML claims structure required by Deep Security as a Service.

SAML claims structure

The following SAML claims are supported by Deep Security as a Service:

Deep Security as a Service username (required)

The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName and a single AttributeValue element. Deep Security as a Service will use the AttributeValue as the Deep Security as a Service username.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName">
        <AttributeValue>alice</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response> 
</pre>

Deep Security as a Service user role (required)

The claim must have an SAML assertion that contains An Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/Role and 1 to 10 AttributeValue elements.

Deep Security as a Service uses the attribute value(s) to determine the tenant, identity provider, and role of the user. A single assertion may contain roles from multiple tenants.

Sample SAML data (abbreviated):

The line break in the AttributeValue element is present for readability; in the claim it must be on a single line.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/Role">
        <AttributeValue>urn:tmds:identity:[pod ID]:[tenant ID]:saml-provider/[IDP name],
            urn:tmds:identity:[pod ID]:[tenant ID]:role/[role name]</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Maximum session duration (optional)

If the claim has an SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration and an integer-valued AttributeValue element, the session will automatically terminate when that amount of time (in seconds) has elapsed.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration">
        <AttributeValue>28800</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Preferred language (optional)

If the claim has a SAML assertion that contains an Attribute element with the Name attribute of https://deepsecurity.trendmicro.com/SAML/attributes/PreferredLanguage and a string-valued AttributeValue element that is equal to one of the supported languages, Deep Security as a Service will use the value to set the user's preferred language.

The following languages are supported:

  • en-US (US English)
  • ja-JP (Japanese)

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/PreferredLanguage">
        <AttributeValue>en-US</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Test SAML single sign-on

Navigate to the single sign-on login page on the identity provider server, and log in to Deep Security as a Service from there. You should be redirected to the Deep Security as a Service console.

If SAML single sign-on is not functioning, follow the steps below to review the setup:

  1. Review the Configure pre-set up requirements section.
  2. Ensure that the user is in the correct directory group.
  3. Ensure that the identity provider and role URNs are properly configured in the identity provider federation service.

Service and identity provider settings

You can set how far in advance Deep Security as a Service will alert you to the expiry date of the server and identity provider certificates, as well as how much time must pass before inactive user accounts added through SAML single sign-on are automatically deleted.

To change these settings, go to Administration > System Settings > Security > Identity Providers.