Table of contents

Microsoft Entra ID setup guide

For more information on configuring SAML SSO with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) to work with Trend Cloud One Workload Security, see Configure SAML single sign-on with Microsoft Entra ID

Download the metadata XML for Trend Cloud One

  1. Log in to Trend Cloud One with Full Access to the Identity and Account permissions.
  2. Select Administration.
  3. Select Identity Providers on the left.
  4. Click Download Metadata XML for Trend Cloud One, or right-click and select the option to save the file.

This XML file is uploaded to Microsoft Entra ID in order to configure SAML. You will use a different XML file to upload into Trend Cloud One later, as described in Basic SAML configuration.

Configuring SAML in Microsoft Entra ID

For details, see Microsoft Entra ID documentation.

Create your Azure application

  1. Login to Azure. Ensure you select the directory that you wish to setup SAML.
  2. Navigate to Microsoft Entra ID and select Enterprise Applications.
  3. Click New Application and then select Create your own application (if it is disabled or appears grayed out, ensure you have admin access to your subscription).
  4. Provide a name for your app and select non-gallery, then click Create.
  5. Click Single sign-on, and then select SAML for the single sign-on method.

Assign users and groups

  1. Click Users and groups on the left, then click Add user/group. Select the user or group you wish to assign to your application.
  2. If you select individual users, ensure that they are part of a group and take note of any Group ID, as you will use it later. If you select a group, then take note of the Object ID for later use.

Basic SAML configuration

  1. Click Single sign-on on the left, then click Upload metadata file and select the Trend Cloud One metadata file.
  2. Verify that the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) have been filled out. Note that the Reply URL contains the path /idpresponse. In addition, to have the user's sign-in open Workload Security automatically, in the Relay State field, type /workload.
  3. Click Save.

Set console theme

Specifying a theme query parameter is optional, and it allows customers to specify a particular theme in the RelayState they get from the Identity Provider SAML response. The valid theme values are light and dark. If dark is selected, then the Trend Cloud One console opens in the dark mode. If no theme parameter is specified, the browser defaults to light mode, or whatever is saved within the user's local browser setting.

To specify the theme, the RelayState in the SAML response should include theme as a query parameter with a value of either dark or light.

For RelayState :

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Attributes and Claims

  1. Click Edit to set up the Attributes and Claims.
  2. Leave the Name ID required claim set to default.
  3. Click Add a group claim. Here you can add the groups of those you wish to access Cloud One. Select the best option that reflects the group you previously assigned to your application. For more information, see Microsoft Entra ID documentation.

  4. Leave the source attribute set to Group ID, then click Save. Take note of the claim name, for example:

  5. Back in Attributes and Claims, click Add new claim, enter the name locale and for Source attribute select user.preferredlanguage, then click Save

See the attributes claims guide for more information.

Configure SAML in Trend Cloud One

  1. From the Trend Cloud One Identity Providers page, click New.
  2. In Identity Provider, type a name for the Alias. The name should include the identity provider, such as Microsoft Entra ID or Okta.
  3. In Metadata XML File, click Browse, then navigate to the metadata file that you downloaded from the identity provider (not Trend Cloud One).
  4. For the Mapping section (see About SAML single sign-on), provide a role and attribute, as described in the next steps.
  5. Set Role attribute to This is the claim name from the group claim.
  6. Set Group to the Group ID or Object ID of the group you assigned earlier, and then map it to a Trend Cloud One role.
  7. Set Name attribute to
  8. Set Locale attribute to locale
  9. Leave Timezone attribute empty, as there is no claim for time zone.
  10. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.


  1. From Azure, inside Single sign-on, click Test to test logging in as the current user.
  2. To test the regular workflow, navigate to My Apps for Microsoft and select your SAML application to log in to Trend Cloud One.

If you are having difficulties, see Troubleshooting SAML setup.