Table of contents

Active Directory Federation Services (ADFS) setup guide

Download the metadata XML for Trend Cloud One

  1. Log in to Trend Cloud One with Full Access to the Identity and Account permissions.
  2. Select Administration.
  3. Click the Identity Providers on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One, or right-click the link and select an option to save the file.

This XML file is uploaded to ADFS in order to configure SAML. You will use a different XML file to upload into Trend Cloud One later, as described in Add Relying Party Trust.

Configure SAML in ADFS

For details, see Microsoft's Documentation.

In order for the following procedures to work, you must have users with valid e-mail addresses in your active directory that are associated with at least one group.

Add Relying Party Trust

  1. Open the ADFS Management console, then click Add Relying Party Trust. Select Claims aware (if available), and then click Start.
  2. Select Import data about the relying party from a file and upload the Trend Cloud One metadata file.
  3. Enter a display name that identifies this is for Trend Cloud One, and then click Next.
  4. Select your access control policy. For example, permit everyone, certain groups, and so on. You will define group claims in one of the subsequent steps.
  5. Click Next until you reach the final page, then click Finish.

Add Claim Issuance Policy

  1. From the Relying Party Trusts, click Edit Claim Issuance Policy.

Name ID

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "E-mail to E-mail".
  2. Select Active Directory for the attribute store, then map LDAP Attribute E-Mail-Addresses to outgoing claim type E-Mail Address, and then click Finish.
  3. Click Add Rule, select Transform an Incoming Claim, and then type whatever name you like for the rule, such as "E-mail to Name ID".
  4. For incoming, select E-Mail Address. For outgoing claim type, select Name ID. For the outgoing name ID format, select Email. Verify that Pass through all claim values is selected, and then click Finish.

Group claim

  1. Click Add Rule, select Send Group Membership as a Claim, and type whatever name you like for the rule, such as "Group Membership".
  2. Select the group to which your users belong. For Outgoing claim type, select Group. For Outgoing claim value, type a name for this claim. For example, group. Take note of this value for later use.

Name mapping

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "Display Name to Name".
  2. Select Active Directory for the store, then map LDAP Attribute Display-Name to Name, and then click OK.

See the attributes claims guide for more information.

Relay State

Currently, this feature only works for Trend Cloud One Workload Security.

To have a user automatically taken to Trend Cloud One Workload Security on sign-in, follow the steps described in this section. Otherwise, skip to the Download the metadata XML for ADFS section.

Steps for ADFS 2.0

If you are using ADFS 3.0 as opposed to ADFS 2.0, skip to Steps for ADFS 3.0. Otherwise, perform the following:

  1. Install KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3) to provide Relay State support.

  2. Open the following file in a text editor: %systemroot%\inetpub\adfs\ls\web.config.

  3. In the microsoft.identityServer.web section of the web.config file, add a line about useRelyStateForIdpInitiatedSignOn as follows: <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ...</microsoft.identityServer.web>

Save the change.

  1. To restart Internet Information Services (IIS), from the command line, type iisreset.

  2. Open the services application on the Windows machine, right-click Active Directory Federation Services, and then click Restart.

Steps for ADFS 3.0

  1. Open the following file in a text editor: %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config.

  2. In the microsoft.identityServer.web section of the web.config file, add a line about useRelyStateForIdpInitiatedSignOn as follows: <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ...</microsoft.identityServer.web>

Save the change.

  1. Open the services application on the Windows machine, right-click Active Directory Federation Services, and then click Restart.

Common steps for both ADFS 2.0 and ADFS 3.0

  1. From the PowerShell prompt, type Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true.
  2. From the Windows Run dialog, type %windir%\ADFS\Microsoft.IdentityServer.msc to open the AD FS Management Application.
  3. On the left side of the application under AD FS, select the Relying Party Trusts folder.
  4. Right-click on your trust and select Properties.
  5. Select Identifiers.
  6. Take note of the Relying Party Identifier (for example, https://saml.cloudone.trendmicro.com).
  7. Encode the RPID from using any URL encoder (such as https://www.urlencoder.org/).
  8. Encode your chosen Relay State from the Valid Relay States table (for example, /workload would be %2Fworkload).
  9. Encode the value RelayState=<Your encoded Relay State> (for example, RelayState%3D%252Fworkload).
  10. You can now create the full RelayState string: ?RelayState=RPID%3<Your encoded RPID>%26RelayState%3D%252Fworkload (for example: ?RelayState=RPID%3https%3A%2F%2Fsaml.cloudone.trendmicro.com%26RelayState%3D%252Fworkload).
  11. When using SAML SSO, append the RelayState string to the end of your URL: https://YOUR-DNS/adfs/ls/idpinitiatedsignon. It should have a form similar to https://YOUR-DNS/adfs/ls/idpinitiatedsignon?RelayState=RPID%3https%3A%2F%2Fsaml.cloudone.trendmicro.com%26RelayState%3D%252Fworkload

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the RelayState they obtain from the Identity Provider SAML response. The valid theme values are light and dark. If dark is selected, then the Trend Cloud One console opens in the dark mode. If no theme parameter is specified, the browser defaults to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the RelayState in the SAML response should include theme as a query parameter with a value of either dark or light.

For RelayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Test Relay State Sign-in

  1. In your browser, navigate to the URL you have created with the Relay State.

    The site prompts you to log in to the relying party trust that you configured in ADFS.

  2. Select the site you intend to log in to from the list of relying party trusts.

  3. Click Sign In.

  4. Enter a valid e-mail address and password, then click Sign In. This e-mail and password must match a user configured in your Windows Server Active Directory.

    This completes the process for signing in to Cloud One. The page redirects you to Workload Security if the Relay State was configured correctly.

Valid Relay States:

Relay Sate Destination Service
/workload Endpoint Protection

Download the metadata XML for ADFS

  1. Navigate to https://YOUR-DNS/FederationMetadata/2007-06/FederationMetadata.xml to obtain your Federated Metadata XML.

Configure SAML in Trend Cloud One

  1. From the Trend Cloud One Identity Providers page, click New.
  2. In Identity Provider, type a name for the Alias. This name should include the identity provider such as Microsoft Entra ID or Okta.
  3. In Metadata XML File, click Browse, and then navigate to the metadata file that you downloaded from the identity provider (not Trend Cloud One).
  4. Use the Mapping section (see About SAML single sign-on) to provide a role and attribute.
  5. Set Role attribute to http://schemas.xmlsoap.org/claims/Group
  6. Set Group to group (this is the value from Outgoing claim value that you entered when creating the group claim), and then map it to a Trend Cloud One role.
  7. Set Name attribute to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and leave Locale attribute and Timezone attribute empty.
  8. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Test SAML SSO

  1. Return to ADFS.
  2. From ADFS, navigate to https://YOUR-DNS/adfs/ls/idpinitiatedsignon.
  3. Log in as one of the users in your Active Directory and you will be automatically logged in to Trend Cloud One.

If you are having difficulties, see troubleshooting SAML guide.