Table of contents
Topics on this page
Download the metadata XML for Trend Cloud One
Configuring SAML in Google
Adding your custom SAML app
Configuring user access
Configure SAML in Trend Cloud One
Set console theme
Test SAML SSO

Google setup guide

Download the metadata XML for Trend Cloud One

  1. Log into Trend Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click Download Metadata XML for Trend Cloud One, or right-click the link and select an option to save the file.

This XML file will be read in order to configure SAML in Google.

Configuring SAML in Google

Refer to Google's Documentation for more details.

Currently, Google is still in beta for sending a user's group membership in the SAML response. As a workaround, the instructions provided in this document implement the use of custom attributes to map to and include notations of where to use group membership should your account have access to that feature. To use custom attributes, navigate to Directory > Users, click More options, select Manager user attributes, and then click Add custom attribute. This will be used to determine what users have access to what roles in Trend Cloud One. Set the category, for example CloudOneRole. Set the name to role, visible to organization and single value. Now update your users profile to have a value in that custom field, for example full-access. The mapping will be created in the subsequent steps.

Adding your custom SAML app

  1. Log in to Google Admin console with super administrator privileges.
  2. On the left side, navigate to Apps > Web and mobile apps. Click Add app, select Add custom SAML app, provide a name for your application, and then click Continue.
  3. Click Download Metadata, and then Continue.
  4. Fill in the next sections as follows, clicking Continue as you complete each section:

Service Provider Details:

Field Value Notes
ACS URL From the Trend Cloud One metadata XML file, enter the value for AssertionConsumerService > Location For example: https://saml.cloudone.trendmicro.com/idpresponse
Entity ID From the Trend Cloud One metadata XML file, enter the value for entityID For example: https://saml.cloudone.trendmicro.com
Start URL Empty or "/workload" Set this if you would like users to be automatically taken to Workload Security upon sign-in.

Leave other fields as their default values.

Attribute Mapping:

Google Directory attributes App attributes
Basic Information > First name name
CloudOneRole > role role

If Group membership is available, then do not include the custom attribute (CloudOneRole) mapping. Instead under Google groups search for and select the groups you wish to map to your application. Under App attributes enter role.

See the attributes claims guide for more information.

Configuring user access

  1. Inside your SAML application, click User access, then select ON for everyone and click Save.
  2. Expand Groups on the left, search for or click the group you wish to provide access to your applications. Select ON for everyone and click Save.

Configure SAML in Trend Cloud One

  1. From the Trend Cloud One Identity Providers page, click New.
  2. From Identity Provider, in the Alias field, type any name which should include the identity provider, such as Google.
  3. In Metadata XML File, click Browse, then navigate to the metadata file that you downloaded from the identity provider (not Trend Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to: role.
  6. Set Group to the name of the custom attribute, for example: full-access or a group you mapped to, then map it to a Trend Cloud One role.
  7. For the remaining optional attributes, provide the following values: set Name attribute to name and leave Locale attribute and Timezone attribute empty.
  8. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the RelayState they get from the Identity Provider SAML response. The valid theme values are light and dark. If dark is selected, then the Trend Cloud One console opens in the dark mode. If no theme parameter is specified, the browser defaults to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the relayState in the SAML response should include theme as a query parameter with a value of either dark or light.

For RelayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Test SAML SSO

  1. Back in your application in Google, make sure you sign out, clear cache and sign back in. Otherwise you may get Error: not_a_saml_app because your existing session does not know about its association with your new application.
  2. Once you are back to your application, click Test SAML login and you will be automatically logged in to Trend Cloud One.

If you are having difficulties, see troubleshooting SAML guide.