Table of contents

Azure Active Directory (AD) setup guide

For more information on configuring SAML SSO with Azure Active Directory to work with Trend Cloud One Workload Security, see Configure SAML single sign-on with Azure Active Directory

Download the metadata XML for Trend Micro Cloud One

  1. Log into Trend Micro Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be uploaded to Azure in order to configure SAML. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Azure AD

Refer to Azure's Documentation for further details on the steps below.

Create your Azure application

  1. Login to Azure. Ensure you select the directory that you wish to setup SAML.
  2. Navigate to Azure Active Directory and select Enterprise Applications.
  3. Click New Application then select Create your own application (if it is disabled--that is, grayed out--then ensure you have admin access to your subscription).
  4. Provide a name for your app and select non-gallery (below), then click Create.
  5. Click Single sign-on in the left nav bar and select SAML for the single sign-on method.

Assign users and groups

  1. Click Users and groups on the left, then click Add user/group. Select the user or group you wish to assign to your application.
  2. If you select individual users, ensure that they are part of a group and take note of any Group ID, as we will use it later. If you select a group then take note of the Object ID for later use.

Basic SAML configuration

  1. Click Single sign-on on the left, then click Upload metadata file and select the Cloud One metadata file.
  2. Verify that the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) have been filled out. Note that the Reply URL will contain the path /idpresponse. In addition, to have the user's sign-in open Workload Security automatically, in the Relay State field, type /workload.
  3. Click Save on the right hand side.

Set console theme

Specifying a theme query parameter is optional, and it allows customers to specify a particular theme in the relayState they get from the Identity Provider SAML response. The valid theme values are "light" and "dark". If "dark" is chosen, then the Trend Micro Cloud One console will open in the dark mode. If no theme parameter is specified, the browser will default to light mode, or whatever is saved within a customer's local browser setting.

To specify the theme, the relayState in the SAML response should include "theme" as a query parameter with a value of either "dark" or "light".

For relayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Attributes and Claims

  1. Click Edit to set up the Attributes and Claims.
  2. Leave the Name ID required claim set to default.
  3. Click Add a group claim. Here you can add the groups of those you wish to access Cloud One. Select the best option that reflects the group you previously assigned to your application. For more information please reference Azure's documentation.
  4. Leave the source attribute set to Group ID then click Save. Take note of the claim name, for example:
  5. Back in Attributes and Claims, click Add new claim, enter the name locale and for Source attribute select user.preferredlanguage then click Save

See the attributes claims guide for more information.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Azure AD or Okta.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: (This is the claim name from the group claim.)
  6. Set Group to the Group ID or Object ID of the group you assigned earlier then map it to a Cloud One role.
  7. Set the Name attribute to
  8. Set the Locale attribute to locale
  9. Leave Timezone attribute empty as there is no claim for timezone.
  10. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.


  1. From Azure, inside Single sign-on click Test on the bottom to test logging in as the current user.
  2. To test the normal workflow, navigate to My Apps for Microsoft and select your SAML application to log in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.