Table of contents

Azure Active Directory (AD) setup guide

This page applies to new accounts created on or after August 4, 2021, and to accounts upgraded to the new sign in system.

Download the metadata XML for Cloud One

  1. Log into Cloud One with Full Access to the Identity and Account permissions.
  2. Click User Management near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be uploaded to Azure in order to configure SAML. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Azure AD

Refer to Azure's Documentation for further details on the steps below.

Create your Azure application

  1. Login to Azure. Ensure you select the directory that you wish to setup SAML.
  2. Navigate to Azure Active Directory and select Enterprise Applications.
  3. Click New Application then select Create your own application (if it is disabled--that is, grayed out--then ensure you have admin access to your subscription).
  4. Provide a name for your app and select non-gallery (below), then click Create.
  5. Click Single sign-on in the left nav bar and select SAML for the single sign-on method.

Assign users and groups

  1. Click Users and groups on the left, then click Add user/group. Select the user or group you wish to assign to your application.
  2. If you select individual users, ensure that they are part of a group and take note of any Group ID, as we will use it later. If you select a group then take note of the Object ID for later use.

Basic SAML configuration

  1. Click Single sign-on on the left, then click Upload metadata file and select the Cloud One metadata file.
  2. Verify that the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) have been filled out. Note that the Reply URL will contain the path /idpresponse.
  3. Click Save on the right hand side.

Attributes and Claims

  1. Click Edit to set up the Attributes and Claims.
  2. Leave the Name ID required claim set to default.
  3. Click Add a group claim. Here you can add the groups of those you wish to access Cloud One. Select the best option that reflects the group you previously assigned to your application. For more information please reference Azure's documentation.
  4. Leave the source attribute set to Group ID then click Save. Take note of the claim name, for example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
  5. Back in Attributes and Claims, click Add new claim, enter the name locale and for Source attribute select user.preferredlanguage then click Save and

See the attributes claims guide for more information.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Azure AD or Okta.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups (This is the claim name from the group claim.)
  6. Set Group to the Group ID or Object ID of the group you assigned earlier then map it to a Cloud One role.
  7. Set the Name attribute to http://schemas.microsoft.com/identity/claims/displayname
  8. Set the Locale attribute to locale
  9. Leave Timezone attribute empty as there is no claim for timezone.
  10. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Test SAML SSO

  1. From Azure, inside Single sign-on click Test on the bottom to test logging in as the current user.
  2. To test the normal workflow, navigate to My Apps for Microsoft and select your SAML application to log in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.