Table of contents

Active Directory Federation Services (ADFS) setup guide

This page applies to new accounts created on or after August 4, 2021, and to accounts upgraded to the new sign in system.

Download the metadata XML for Cloud One

  1. Log into Cloud One with Full Access to the Identity and Account permissions.
  2. Click User Management near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be uploaded to ADFS in order to configure SAML. You will use a different XML file to upload into Cloud One later.

Configure SAML in ADFS

Refer to Microsoft's Documentation for further details on the steps below.

This assumes you have users in your active directory that are associated with at least one group. These users should have valid e-mail addresses for the below configuration to work.

Add Relying Party Trust

  1. Open the ADFS Management console, then click Add Relying Party Trust. Select Claims aware (if available), then click Start.
  2. Select Import data about the relying party from a file and upload the Cloud One metadata file.
  3. Enter a display name that identifies this is for Cloud One then click Next.
  4. Select your access control policy; for example: permit everyone, certain groups, etc. (You will define group claims in a later step.)
  5. Click Next until you reach the final page, then click Finish.

Add Claim Issuance Policy

  1. From the Relying Party Trusts, click Edit Claim Issuance Policy.

Name ID

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "E-mail to E-mail".
  2. Select Active Directory for the attribute store, then map LDAP Attribute E-Mail-Addresses to outgoing claim type E-Mail Address. Click Finish.
  3. Click Add Rule and select Transform an Incoming Claim, and type whatever name you like for the rule, such as "E-mail to Name ID".
  4. For incoming, select E-Mail Address. For outgoing claim type, select Name ID. For the outgoing name ID format, select Email. Verify that Pass through all claim values is selected, then click Finish.

Group claim

  1. Click Add Rule. select Send Group Membership as a Claim, and type whatever name you like for the rule, such as "Group Membership".
  2. Select the group that your users belong to. For Outgoing claim type, select Group. For Outgoing claim value, type a name for this claim, for example: group. Remember this value for later.

Name mapping

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "Display Name to Name".
  2. Select Active Directory for the store, then map LDAP Attribute Display-Name to Name, then click OK.

See the attributes claims guide for more information.

Download the metadata XML for ADFS

  1. Navigate to https://YOUR-DNS/FederationMetadata/2007-06/FederationMetadata.xml to obtain your Federated Metadata XML.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Azure AD or Okta.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: http://schemas.xmlsoap.org/claims/Group
  6. Set Group to: group (This is the value from Outgoing claim value that you entered when creating the group claim) then map it to a Cloud One role.
  7. Set Name attribute to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and leave Locale attribute and Timezone attribute empty.
  8. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Test SAML SSO

  1. Return to ADFS. From ADFS, navigate to https://YOUR-DNS/adfs/ls/idpinitiatedsignon.
  2. Log in as one of the users in your Active Directory and you will be automatically logged in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.