Table of contents

Okta setup guide

Download the metadata XML for Trend Micro Cloud One

  1. Log into Trend Micro Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration near the bottom of the page.
  3. Click the Identity Providers tab on the left.
  4. Click the Download Metadata XML for Trend Micro Cloud One link, or right-click the link, and select an option to save the file.

This XML file will be read in order to configure SAML in Okta. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Okta

Refer to Okta's Documentation for further details on the steps below.

Create your Okta application

  1. Log in to Okta. If you do not have an Okta account, but you wish to test the functionality, then you can opt for a Developer Account instead.
  2. Expand and click Applications on the left side. Click Create App Integration, select SAML 2.0 then click Next. Fill in the general settings then click Next.
  3. Fill in the page as follows:


Field Value Notes
Single sign on URL From the Cloud One metadata XML file, enter the value for AssertionConsumerService > Location For example:
Use this for Recipient URL and Destination URL Checked
Audience URL From the Cloud One metadata XML file, enter the value for entityID For example:
Default Relay State Empty or "/workload" Set this if you would like users to be automatically taken to Workload Security upon sign-in
  • Leave other general fields as their default values

Attribute Statements:

Attribute Name Name Format Value
Name name Unspecified String.append(user.firstName + " " + user.lastName)
Locale locale Unspecified user.locale
Timezone timezone Unspecified user.timezone

The above SAML attribute claims are recommendations, you can customize them as need be.

Group Attribute Statements:

Attribute Name Name Format Filter
Group groups Unspecified Here you can define exactly what groups you want to allow access. For any group you can put Matches regex + .*

See the attributes claims guide for more information.

  • When done, click Next and select I'm an Okta customer adding an internal app and select the check box for This is an internal app that we have created then click Finish.

If your app requires additional SAML configuration instructions to work with Okta, select the check box for It's required to contact the vendor to enable SAML. Fill in the provided fields to help the Okta support team understand your SAML configuration.

Assign groups to the application

  1. Click the Assignments tab and assign a group to your application. Ensure users you wish to use are associated with that group.
  2. You can configure this in Okta's user directory.

Download Okta's metadata

  1. Click the Sign On tab and, in the right pane under SAML Setup, click View SAML setup instructions.
  2. Scroll down the Optional section. Copy the metadata XML and paste it into a file editor of your choice. Now save it using .xml as the file extension.

Configure SAML in Cloud One

  1. From the Cloud One Identity Providers page, click New.
  2. From the Identity Provider dialog box, in the Alias field, type any name, but we recommend that the name include the identity provider, such as Azure AD or Okta.
  3. In the Metadata XML File box, click the Browse button, then navigate to the metadata file that you downloaded from the identity provider (not Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on) provide a role and attribute as detailed in the next steps.
  5. Set Role attribute: to: groups (the value of Name from Group Attribute Statements).
  6. Set Group to the name of the group, for example Everyone, then select what access you want that group to have.
  7. Set Name attribute to: name
  8. Set Locale attribute to: locale
  9. Set Timezone attribute to: timezone
  10. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the relayState they get from the Identity Provider SAML response. The valid theme values are "light" and "dark". If "dark" is chosen, then the Trend Micro Cloud One console will open in the dark mode. If no theme parameter is specified, the browser will default to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the relayState in the SAML response should include "theme" as a query parameter with a value of either "dark" or "light".

For relayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.


  1. Log in to Okta as a user who has access to the application.
  2. Click the new Cloud One application to log in and you will be automatically logged in to Cloud One.

If you are having difficulties, please reference our troubleshooting SAML guide for assistance.