Table of contents
Topics on this page

Microsoft Entra ID Saml-SSO Integration

To add Trend Micro Cloud One™ – Conformity as a custom SAML 2.0 app in Microsoft Entra ID.

The instruction to adding Conformity as an Microsoft Entra enterprise application and enable SAML single sign-on:

  1. Sign in to Azure Portal as administrator
  2. Navigate to Microsoft Entra ID
  3. Open Enterprise Applications
  4. Click + New application
  5. Click + Create your own application
  6. Enter a name, for example. "Conformity" in Name field,
  7. Select "Integrate any other application you don’t find in the gallery",
  8. Click "Create"
  9. After the application is created, upload this logo under "Properties" section and save it
  10. In the "Users and groups" section, assign groups you would like to have access to ‘Cloud Conformity’.
  11. Open "Single sign-on" section
  12. Select "SAML-based Sign-on"
  13. Edit “Basic SAML Configuration
  14. Identifier: enter "https://www.cloudconformity.com"
  15. Reply URL: enter "https://www.cloudconformity.com/v1/proxy/sso/saml/consume"
  16. Depending on your region of service and email domain enter {region}:{domain} in Relay State
    • {region} should be replaced with your region of service. i.e by one of the three regions: us-west-2, ap-southeast-2, or eu-west-1.
    • {domain} should be replaced with the domain part of user emails e.g. us-west-2:your-​company.com
  17. Edit “User Attributes & Claims
  18. Select "user.mail" as the source attribute of "Unique User Identifier" field
  19. Verify that the following additional claims are present:
  20. Under SAML Signing Certificate, download Federation Metadata XML file - we will need this for the SSO configuration in Conformity.
  21. On the top search bar, search for App Registrations.
  22. Select All Applications tab and select the application you created in Step 5 of this guide, i.e. "Cloud Conformity".
  23. Click Manifest to open Manifest Editor.
  24. Change groupMembershipClaims from null to SecurityGroup i.e groupMembershipClaims: SecurityGroup.
  25. Save the manifest.

  26. Set Role Groups in Azure to match Conformity Role Mappings
    Each of the four Conformity roles should have a group defined in Microsoft Entra ID. Open each group under "Users and groups" and take note of the "Object ID" to automatically map Microsoft Entra groups to Cloud Conformity roles. The roles supported by Conformity are:

  27. Admin: Organisation admin, full access to everything

  28. Power-user: Full access to all accounts, no access to organisation-level settings, cannot add new accounts
  29. Read-only: Read-only access to all accounts, no access to organisation-level settings
  30. Custom: No access by default, can be granted read-only or full access to individual accounts by an organisation admin

Once Conformity has been added to Microsoft Entra ID, follow the instructions from Step 2 onwards in Configure SSO settings in Conformity.

Take a note of the following information to configure self-serve SSO in Conformity:

  1. The Federation metadata XML file downloaded during setup in Step 20.
  2. Object IDs for admin, power-user, read-only, and limited groups.

  3. Each role attribute value is the Object ID of the related Microsoft Entra group in UUID format.

  4. The claim names for each of the key attributes as following:

  5. First name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  6. Last name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  7. Email address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  8. Role: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups