Trend Cloud One supports single sign-on (SSO) using an open authentication standard
called Security Assertion Markup Language 2.0 (SAML). SSO enables users to authenticate
to their applications using a single set of credentials, and organizations to more
easily control employee access to applications using the organization's identity provider.
Trend Cloud One SAML only supports Identity Provider-initiated SSO and customers must
login via their Identity Providers in order to access Trend Cloud One.
![]() |
NotePreviously, it was possible to configure SAML single sign-on directly to Trend Cloud
One Workload Security. It is now possible to log into all of Trend Cloud One using
SAML. However, this new single sign-on to all of Trend Cloud One must be configured
separately.
|
Trend Cloud One continues to support a native sign-on using its usual web interface
and Trend Cloud One credentials, which is separate from its SAML SSO.
To implement SAML single sign-on, see Configure SAML single sign-on.
How SAML single sign-on works in Trend Cloud One
In SAML single sign-on, you establish a trust relationship between two parties: the
identity provider and the service provider.
The identity provider has the user identity information stored on a directory server.
The service provider (which in this case is Trend Cloud One) accepts requests from
the identity providers to authenticate to the service provider on the user's behalf.
The identity provider and the service provider establish trust by exchanging a SAML
metadata document with one another.
Once Trend Cloud One and the identity provider have exchanged SAML metadata documents
and established a trust relationship, Trend Cloud One can accept assertions coming
from the identity provider and use them to authenticate a user into a Trend Cloud
One account. In addition to the metadata document, Trend Cloud One requires instructions
for interpreting the data in the assertion in order to know how to authenticate the
user. This is done using mappings, roles, and claims.
- Mappings are used to associate attributes in Trend Cloud One with the user attributes in your identity provider.
- Claims are pieces of information about the user provided by the identity provider in an assertion.
- Roles specify how to map a user's groups in the identity provider with a role in a Trend Cloud One account.
Trend Cloud One uses the following mappings:
- Name attribute (optional): Specifies the claim attribute that contains the user's name. This is used for display purposes.
- Locale attribute (optional): Specifies the claim attribute that contains the user's locale. This is used to set the locale setting in Trend Cloud One.
- Timezone attribute (optional): Specifies the claim attribute that contains the user's time zone. This is used to set the timezone setting in Trend Cloud One.
- Role attributes: Specifies the claim attribute that the contains the groups the user is part of. This is used with the roles mapping value to determine which roles inside an account the user has access to.
- Group: This is a list of name value pairs that specifies how to map the groups the user is a part of (which is read from the attribute given in the role mapping) to a role in the Trend Cloud One account. A group can only be assigned to a single Trend Cloud One role inside an account.
The identity provider configuration in Trend Cloud One is tied to a specific Trend
Cloud One account. This means any roles specified in the roles mapping must be from
the current Trend Cloud One account. To log in to multiple accounts with the same
identity provider, the configuration information must be added to each Trend Cloud
One account separately.
When Trend Cloud One receives an assertion, it uses the mappings to read which groups
the user is part of and maps them to Trend Cloud One roles the user can access. It
does this mapping across all the Trend Cloud One accounts for which the identity provider
is configured, to give the user a list of accounts and roles they can use to sign
in to Trend Cloud One.
For users with multiple roles or Trend Cloud One accounts, access to all roles and
accounts can be granted through a single assertion from the identity provider. However,
each Trend Cloud One account is tied to its own specific identity provider configuration
and, to enable access, each account must be configured separately with the identity
provider.
Once configured, Trend Cloud One uses the mappings provided in the assertion to list
all the roles and accounts with which the user can sign in.
If a role is removed from Trend Cloud One, it will not be reflected in your identity
provider configuration. You must navigate to identity providers in Trend Cloud One
and take note of the warning tip beside the role that has been removed. Any users
who are associated with this mapping will not be able to log in to Trend Cloud One.
You must manually update the mapping to a valid role or remove the mapping altogether.
Implement SAML single sign-on in Trend Cloud One
Once trust has been established between Trend Cloud One and an identity provider with
a SAML metadata document exchange, users can use SAML single sign-on to sign in to
Trend Cloud One through your organization's portal.
For information, see Configure SAML single sign-on.
SAML Users tab
The SAML Users tab is a read-only display of which SAML users have accessed the account.
You can use this feature to see which users are logging into the account via SAML.
You can also use it to cross-reference SAML user IDs to corresponding actions described
in the audit logs.
The SAML Users tab displays the following pieces of information:
- Name: The NameID attribute of the SAML user.
- Role: The role that the SAML user most recently assumed within the account.
- Last Sign In: The date that the SAML user most recently accessed the account
- ID: An identifier that Trend Cloud One uses for that SAML User. This identifier is appended to the Principal URN in audit logs and can be used to audit which actions the SAML user has taken.
You cannot edit or delete SAML Users from this tab. If a SAML User has not accessed
the account within a year, they are removed from the list.
To access the page:
Procedure
- Select Account Settings from the drop-down next to your account.
- Select Users in the left pane.
- Select SAML.