Table of contents

Google setup guide

Download the metadata XML for Trend Micro Cloud One

  1. Log into Trend Micro Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be read in order to configure SAML in Google. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Google

Refer to Google's Documentation for further details on the steps below.

As of publishing this article, Google is still in beta for sending a user's group membership in the SAML response. As a workaround, this guide will implement the use of custom attributes to map to and will include notations of where to use group membership should your account have access to that feature. To use custom attributes: navigate to Directory > Users. Click More options, select Manager user attributes then click Add custom attribute. This will be used to determine what users have access to what roles in Cloud One. Set the category for it to go under, for example: CloudOneRole. Set the name to role, visible to organization and single value. Next update your users profile to have a value in that custom field, for example: full-access. We will map to that later on in this guide.

Adding your custom SAML app

  1. Log in to Google Admin console with super administrator privileges.
  2. On the left side, navigate to Apps > Web and mobile apps. Click Add app, select Add custom SAML app, provide a name for your application then click Continue.
  3. Click Download Metadata then Continue.
  4. Fill in the next sections as follows, clicking Continue as you complete each section:

Service Provider Details:

Field Value Notes
ACS URL From the Cloud One metadata XML file, enter the value for AssertionConsumerService > Location For example:
Entity ID From the Cloud One metadata XML file, enter the value for entityID For example:
Start URL Empty or "/workload" Set this if you would like users to be automatically taken to Workload Security upon sign-in
  • Leave other fields as their default values

Attribute Mapping:

Google Directory attributes App attributes
Basic Information > First name name
CloudOneRole > role role

If Group membership is available then do not include the custom attribute (CloudOneRole) mapping. Instead under Google groups search for and select the groups you wish to map to your application. Under App attributes enter role.

See the attributes claims guide for more information.

Configuring user access

  1. Inside your SAML app, click User access then select ON for everyone and click Save.
  2. Expand Groups on the left, search for and/or click the group you wish to provide access to your apps. Select ON for everyone and click Save.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Google.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One)
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: role.
  6. Set Group to the name of the custom attribute, for example: full-access or a group you mapped to, then map it to a Cloud One role.
  7. For the remaining optional attributes, provide the following values:
  8. Set Name attribute to: name and leave Locale attribute and Timezone attribute empty.
  9. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the relayState they get from the Identity Provider SAML response. The valid theme values are "light" and "dark". If "dark" is chosen, then the Trend Micro Cloud One console will open in the dark mode. If no theme parameter is specified, the browser will default to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the relayState in the SAML response should include "theme" as a query parameter with a value of either "dark" or "light".

For relayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.


  1. Back in your application in Google, make sure you sign out, clear cache and sign back in. Otherwise you may get Error: not_a_saml_app because your existing session doesn't know about it's association with your new application.
  2. Once you're back to your application: click Test SAML login and you will be automatically logged in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.