Table of contents

Okta setup guide

Download the metadata XML for Trend Cloud One

  1. Log in to Trend Cloud One with Full Access to the Identity and Account permissions.
  2. Click Administration.
  3. Click Identity Providers on the left.
  4. Click Download Metadata XML for Trend Micro Cloud One, or right-click the link and select an option to save the file.

This XML file will be read in order to configure SAML in Okta. You will use a different XML file to upload into Cloud One later.

Configuring SAML in Okta

Refer to Okta's Documentation for more details.

Create your Okta application

  1. Log in to Okta. If you do not have an Okta account, but you wish to test the functionality, then you can opt for a Developer Account instead.
  2. Expand and click Applications on the left. Click Create App Integration, select SAML 2.0, then click Next. Fill in the general settings, then click Next.
  3. Complete the page as follows:

General:

Field Value Notes
Single sign on URL From the Trend Cloud One metadata XML file, enter the value for AssertionConsumerService > Location For example: https://saml.cloudone.trendmicro.com/idpresponse
Use this for Recipient URL and Destination URL Checked
Audience URL From the Trend Cloud One metadata XML file, enter the value for entityID For example: https://saml.cloudone.trendmicro.com
Default Relay State Empty or "/workload" Set this if you would like users to be automatically taken to Workload Security upon sign-in

Leave other general fields as their default values.

Attribute Statements:

Attribute Name Name Format Value
Name name Unspecified String.append(user.firstName + " " + user.lastName)
Locale locale Unspecified user.locale
Timezone timezone Unspecified user.timezone

The preceding SAML attribute claims are recommendations, you can customize them as need be.

Group Attribute Statements:

Attribute Name Name Format Filter
Group groups Unspecified Here you can define exactly what groups you want to allow access. For any group you can put Matches regex + .*

See the attributes claims guide for more information.

When done, click Next and select I'm an Okta customer adding an internal app, select This is an internal app that we have created, and then click Finish.

If your application requires additional SAML configuration instructions to work with Okta, select It's required to contact the vendor to enable SAML. Fill in the provided fields to help the Okta support team understand your SAML configuration.

Assign groups to the application

  1. Select Assignments and assign a group to your application. Ensure users you wish to use are associated with that group.
  2. You can configure this in Okta's user directory.

Download Okta's metadata

  1. Select Sign On and in the right pane under SAML Setup click View SAML setup instructions.
  2. Scroll down the Optional section. Copy the metadata XML and paste it into a file editor of your choice. Now save it using .xml as the file extension.

Configure SAML in Trend Cloud One

  1. From the Trend Cloud One Identity Providers page, click New.
  2. In Identity Provider, type a name for the Alias. This name should include the identity provider such as Microsoft Entra ID or Okta.
  3. In Metadata XML File, click Browse, then navigate to the metadata file that you downloaded from the identity provider (not Trend Cloud One).
  4. For the Mapping section (see explanation in About SAML single sign-on), provide a role and attribute as detailed in the next steps.
  5. Set Role attribute to groups (the value of Name from Group Attribute Statements).
  6. Set Group to the name of the group, for example Everyone, then select what access you want that group to have.
  7. Set Name attribute to name
  8. Set Locale attribute to locale
  9. Set Timezone attribute to timezone
  10. Click Save.

In the Mapping section, click + to add more than one Group. You can configure multiple groups to have different access privileges.

Set console theme

Specifying a theme query parameter is optional, and it allows users to specify a particular theme in the RelayState they get from the Identity Provider SAML response. The valid theme values are light and dark. If dark is selected, then the Trend Cloud One console opens in the dark mode. If no theme parameter is specified, the browser defaults to light mode, or whatever is saved within a user's local browser setting.

To specify the theme, the RelayState in the SAML response should include theme as a query parameter with a value of either dark or light.

For RelayState:

  • /theme=dark for dark theme.
  • /theme=light for light theme.

Test SAML SSO

  1. Log in to Okta as a user who has access to the application.
  2. Click the new Trend Cloud One application to log in and you will be automatically logged in to Trend Cloud One.

If you are having difficulties, see Troubleshooting SAML setup guide.