Table of contents
Topics on this page
Download the metadata XML for Trend Micro Cloud One
Configure SAML in ADFS
Add Relying Party Trust
Add Claim Issuance Policy
Name ID
Group claim
Name mapping
Relay State
Steps for ADFS 2.0
Steps for ADFS 3.0
Common steps for both ADFS 2.0 and ADFS 3.0
Set console theme
Test Relay State Sign in
Download the metadata XML for ADFS
Configure SAML in Cloud One
Test SAML SSO

Active Directory Federation Services (ADFS) setup guide

Download the metadata XML for Trend Micro Cloud One

  1. Log into Trend Micro Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be uploaded to ADFS in order to configure SAML. You will use a different XML file to upload into Cloud One later.

Configure SAML in ADFS

Refer to Microsoft's Documentation for further details on the steps below.

This assumes you have users in your active directory that are associated with at least one group. These users should have valid e-mail addresses for the below configuration to work.

Add Relying Party Trust

  1. Open the ADFS Management console, then click Add Relying Party Trust. Select Claims aware (if available), then click Start.
  2. Select Import data about the relying party from a file and upload the Cloud One metadata file.
  3. Enter a display name that identifies this is for Cloud One then click Next.
  4. Select your access control policy; for example: permit everyone, certain groups, etc. (You will define group claims in a later step.)
  5. Click Next until you reach the final page, then click Finish.

Add Claim Issuance Policy

  1. From the Relying Party Trusts, click Edit Claim Issuance Policy.

Name ID

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "E-mail to E-mail".
  2. Select Active Directory for the attribute store, then map LDAP Attribute E-Mail-Addresses to outgoing claim type E-Mail Address. Click Finish.
  3. Click Add Rule and select Transform an Incoming Claim, and type whatever name you like for the rule, such as "E-mail to Name ID".
  4. For incoming, select E-Mail Address. For outgoing claim type, select Name ID. For the outgoing name ID format, select Email. Verify that Pass through all claim values is selected, then click Finish.

Group claim

  1. Click Add Rule. select Send Group Membership as a Claim, and type whatever name you like for the rule, such as "Group Membership".
  2. Select the group that your users belong to. For Outgoing claim type, select Group. For Outgoing claim value, type a name for this claim, for example: group. Remember this value for later.

Name mapping

  1. Click Add Rule, select Send LDAP Attributes as Claims, and type whatever name you like for the rule, such as "Display Name to Name".
  2. Select Active Directory for the store, then map LDAP Attribute Display-Name to Name, then click OK.

See the attributes claims guide for more information.

Relay State

Currently this feature only works for Trend Micro Cloud One Workload Security.

To have user automatically taken to Cloud One Workload Security on sign in, please follow the steps below. Otherwise skip to the Download the metadata XML for ADFS section.

Steps for ADFS 2.0

Skip to Steps for ADFS 3.0 if you are using ADFS 3.0 and not ADFS 2.0.

  1. Install KB2681584 (Update Rollup 2) or KB2790338 (Update Rollup 3) to provide Relay State support.
  2. Open the following file in a text editor (such as Notepad): %systemroot%\inetpub\adfs\ls\web.config.
  3. In the microsoft.identityServer.web section of the web.config file, add a line about useRelyStateForIdpInitiatedSignOn as follows, and save the change: <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ...</microsoft.identityServer.web>
  4. To restart Internet Information Services (IIS), from the command line, type iisreset.
  5. Open the services app on the Windows machine, right-click on the Active Directory Federation Services, and then select the Restart option.

Steps for ADFS 3.0

  1. Open the following file in a text editor (such as Notepad): %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config.
  2. In the microsoft.identityServer.web section of the web.config file, add a line about useRelyStateForIdpInitiatedSignOn as follows, and save the change: <microsoft.identityServer.web> ... <useRelayStateForIdpInitiatedSignOn enabled="true" /> ...</microsoft.identityServer.web>
  3. Open the services app on the Windows machine, right-click on the Active Directory Federation Services, and then select the restart option.

Common steps for both ADFS 2.0 and ADFS 3.0

  1. From the PowerShell prompt, type Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true.
  2. From the Windows Run dialog box, type %windir%\ADFS\Microsoft.IdentityServer.msc to open the AD FS Management Application.
  3. On the left side of the application under AD FS, select the Relying Party Trusts folder.
  4. Right-click on your trust and select Properties.
  5. Select the Identifiers tab.
  6. Take note of the Relying Party Identifier (For example: https://saml.cloudone.trendmicro.com).
  7. Encode the RPID from using any URL encoder (such as https://www.urlencoder.org/).
  8. Encode your chosen Relay State from the Valid Relay States table below (For example /workload would be %2Fworkload).
  9. Encode the value RelayState=<Your encoded Relay State> (For example, RelayState%3D%252Fworkload).
  10. You can now create the full RelayState string: ?RelayState=RPID%3<Your encoded RPID>%26RelayState%3D%252Fworkload (For example: ?RelayState=RPID%3https%3A%2F%2Fsaml.cloudone.trendmicro.com%26RelayState%3D%252Fworkload).
  11. When using SAML SSO append the RelayState string to the end of your URL https://YOUR-DNS/adfs/ls/idpinitiatedsignon. It should have a form similar to this: https://YOUR-DNS/adfs/ls/idpinitiatedsignon?RelayState=RPID%3https%3A%2F%2Fsaml.cloudone.trendmicro.com%26RelayState%3D%252Fworkload

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the relayState they get from the Identity Provider SAML response. The valid theme values are "light" and "dark". If "dark" is chosen, then the Trend Micro Cloud One console will open in the dark mode. If no theme parameter is specified, the browser will default to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the relayState in the SAML response should include "theme" as a query parameter with a value of either "dark" or "light".

For relayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Test Relay State Sign in

  1. Open your browser, navigate to the URL you have created with the Relay State.

A prompt will appear so that you can log in to the relying party trust you configured in ADFS.
A drop-down will appear with all possible relying party trusts.

  1. Select the site you intend to log in to.

  2. Click the Sign In button.

You will be prompted to enter your e-mail and password.
This e-mail and password must match a user configured in your Windows Server Active Directory.

  1. Enter a valid e-mail address and password, then click Sign In.

You will be signed in to Cloud One. If the Relay State has been configured correctly, then you will be redirected to Workload Security.

Valid Relay States:

Relay Sate Destination Service
/workload Endpoint Protection

Download the metadata XML for ADFS

  1. Navigate to https://YOUR-DNS/FederationMetadata/2007-06/FederationMetadata.xml to obtain your Federated Metadata XML.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Azure AD or Okta.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: http://schemas.xmlsoap.org/claims/Group
  6. Set Group to: group (This is the value from Outgoing claim value that you entered when creating the group claim) then map it to a Cloud One role.
  7. Set Name attribute to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and leave Locale attribute and Timezone attribute empty.
  8. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Test SAML SSO

  1. Return to ADFS. From ADFS, navigate to https://YOUR-DNS/adfs/ls/idpinitiatedsignon.
  2. Log in as one of the users in your Active Directory and you will be automatically logged in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.