Table of contents

Google setup guide

This page applies to new accounts created on or after August 4, 2021, and to accounts upgraded to the new sign in system.

Download the metadata XML for Cloud One

  1. Log into Cloud One with Full Access to the Identity and Account permissions.
  2. Click User Management near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be read in order to configure SAML in Google. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Google

Refer to Google's Documentation for further details on the steps below.

As of publishing this article, Google is still in beta for sending a user's group membership in the SAML response. As a workaround, this guide will implement the use of custom attributes to map to and will include notations of where to use group membership should your account have access to that feature. To use custom attributes: navigate to Directory > Users. Click More options, select Manager user attributes then click Add custom attribute. This will be used to determine what users have access to what roles in Cloud One. Set the category for it to go under, for example: CloudOneRole. Set the name to role, visible to organization and single value. Next update your users profile to have a value in that custom field, for example: full-access. We will map to that later on in this guide.

Adding your custom SAML app

  1. Log in to Google Admin console with super administrator privileges.
  2. On the left side, navigate to Apps > Web and mobile apps. Click Add app, select Add custom SAML app, provide a name for your application then click Continue.
  3. Click Download Metadata then Continue.
  4. Fill in the next sections as follows, clicking Continue as you complete each section:

Service Provider Details:

Field Value Notes
ACS URL From the Cloud One metadata XML file, enter the value for AssertionConsumerService > Location For example:
Entity ID From the Cloud One metadata XML file, enter the value for entityID For example:
  • Leave other fields as their default values

Attribute Mapping:

Google Directory attributes App attributes
Basic Information > First name name
CloudOneRole > role role

If Group membership is available then do not include the custom attribute (CloudOneRole) mapping. Instead under Google groups search for and select the groups you wish to map to your application. Under App attributes enter role.

See the attributes claims guide for more information.

Configuring user access

  1. Inside your SAML app, click User access then select ON for everyone and click Save.
  2. Expand Groups on the left, search for and/or click the group you wish to provide access to your apps. Select ON for everyone and click Save.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Google.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One)
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: role.
  6. Set Group to the name of the custom attribute, for example: full-access or a group you mapped to, then map it to a Cloud One role.
  7. For the remaining optional attributes, provide the following values:
  8. Set Name attribute to: name and leave Locale attribute and Timezone attribute empty.
  9. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.


  1. Back in your application in Google, make sure you sign out, clear cache and sign back in. Otherwise you may get Error: not_a_saml_app because your existing session doesn't know about it's association with your new application.
  2. Once you're back to your application: click Test SAML login and you will be automatically logged in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.