Table of contents

About SAML single sign-on

Trend Cloud One supports single sign-on (SSO) using an open authentication standard called Security Assertion Markup Language 2.0 (SAML). SSO enables users to authenticate to their applications using a single set of credentials, and organizations to more easily control employee access to applications using the organization's identity provider.

Trend Cloud One SAML only supports Identity Provider-initiated SSO and customers must login via their Identity Providers in order to access Trend Cloud One.

Previously, it was possible to configure SAML single sign-on directly to Trend Cloud One Workload Security. It is now possible to log into all of Trend Cloud One using SAML. However, this new single sign-on to all of Trend Cloud One must be configured separately.

Trend Cloud One continues to support a native sign-on using its usual web interface and Trend Cloud One credentials, which is separate from its SAML SSO.

To implement SAML single sign-on, see Configure SAML single sign-on.

How SAML single sign-on works in Trend Cloud One

In SAML single sign-on, you establish a trust relationship between two parties: the identity provider and the service provider.

The identity provider has the user identity information stored on a directory server. The service provider (which in this case is Trend Cloud One) accepts requests from the identity providers to authenticate to the service provider on the user's behalf.

The identity provider and the service provider establish trust by exchanging a SAML metadata document with one another.

Once Trend Cloud One and the identity provider have exchanged SAML metadata documents and established a trust relationship, Trend Cloud One can accept assertions coming from the identity provider and use them to authenticate a user into a Trend Cloud One account. In addition to the metadata document, Trend Cloud One requires instructions for interpreting the data in the assertion in order to know how to authenticate the user. This is done using mappings, roles, and claims.

  • Mappings are used to associate attributes in Trend Cloud One with the user attributes in your identity provider.
  • Claims are pieces of information about the user provided by the identity provider in an assertion.
  • Roles specify how to map a user's groups in the identity provider with a role in a Trend Cloud One account.

Trend Cloud One uses the following mappings:

  • Name attribute (optional): Specifies the claim attribute that contains the user's name. This is used for display purposes.
  • Locale attribute (optional): Specifies the claim attribute that contains the user's locale. This is used to set the locale setting in Trend Cloud One.
  • Timezone attribute (optional): Specifies the claim attribute that contains the user's time zone. This is used to set the timezone setting in Trend Cloud One.
  • Role attributes: Specifies the claim attribute that the contains the groups the user is part of. This is used with the roles mapping value to determine which roles inside an account the user has access to.
  • Group: This is a list of name value pairs that specifies how to map the groups the user is a part of (which is read from the attribute given in the role mapping) to a role in the Trend Cloud One account. A group can only be assigned to a single Trend Cloud One role inside an account.

The identity provider configuration in Trend Cloud One is tied to a specific Trend Cloud One account. This means any roles specified in the roles mapping must be from the current Trend Cloud One account. To log in to multiple accounts with the same identity provider, the configuration information must be added to each Trend Cloud One account separately.

When Trend Cloud One receives an assertion, it uses the mappings to read which groups the user is part of and maps them to Trend Cloud One roles the user can access. It does this mapping across all the Trend Cloud One accounts for which the identity provider is configured, to give the user a list of accounts and roles they can use to sign in to Trend Cloud One.

For users with multiple roles or Trend Cloud One accounts, access to all roles and accounts can be granted through a single assertion from the identity provider. However, each Trend Cloud One account is tied to its own specific identity provider configuration and, to enable access, each account must be configured separately with the identity provider.

Once configured, Trend Cloud One uses the mappings provided in the assertion to list all the roles and accounts with which the user can sign in.

If a role is removed from Trend Cloud One, it will not be reflected in your identity provider configuration. You must navigate to identity providers in Trend Cloud One and take note of the warning tip beside the role that has been removed. Any users who are associated with this mapping will not be able to log in to Trend Cloud One. You must manually update the mapping to a valid role or remove the mapping altogether.

Implement SAML single sign-on in Trend Cloud One

Once trust has been established between Trend Cloud One and an identity provider with a SAML metadata document exchange, users can use SAML single sign-on to sign in to Trend Cloud One through your organization's portal.

For information, see Configure SAML single sign-on.

SAML Users tab

The SAML Users tab is a read-only display of which SAML users have accessed the account. You can use this feature to see which users are logging into the account via SAML. You can also use it to cross-reference SAML user IDs to corresponding actions described in the audit logs.

The SAML Users tab displays the following pieces of information:

  • Name: The NameID attribute of the SAML user.
  • Role: The role that the SAML user most recently assumed within the account.
  • Last Sign In: The date that the SAML user most recently accessed the account
  • ID: An identifier that Trend Cloud One uses for that SAML User. This identifier is appended to the Principal URN in audit logs and can be used to audit which actions the SAML user has taken.

You cannot edit or delete SAML Users from this tab. If a SAML User has not accessed the account within a year, they are removed from the list.

To access the page:

  1. Select Account Settings from the drop-down next to your account.
  2. Select Users in the left pane.
  3. Select SAML.