Configure SAML single sign-on

Currently, SAML is supported for sign-on and access only to the Workload Security service specifically but also to the overall Trend Cloud One product generally. This document discusses SAML for Workload Security specifically. Trend Micro recommends that you also consult SAML for Trend Cloud One generally.

When you configure Workload Security to use SAML single sign-on (SSO), users signing in to your organization's portal can seamlessly sign in to Workload Security without an existing Workload Security account. SAML single sign-on also makes it possible to implement user authentication access control elements such as the following:

Password strength or change enforcement.
One-Time Password (OTP).
Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

For a more detailed explanation how Workload Security has implemented the SAML standard, see About SAML single sign-on (SSO). If you are using Microsoft Entra ID as your identity provider, see Configure SAML single sign-on with Microsoft Entra ID.

Note that at this time, Workload Security supports only the HTTP POST binding of the SAML 2.0 identity provider (IdP)-initiated login flow, and not the service provider (SP)-initiated login flow.

Within Workload Security, SAML is supported for these regions:

US: https://app.deepsecurity.trendmicro.com
India: https://workload.in-1.cloudone.trendmicro.com
UK: https://workload.gb-1.cloudone.trendmicro.com
Japan: https://workload.jp-1.cloudone.trendmicro.com
Germany: https://workload.de-1.cloudone.trendmicro.com
Australia: https://workload.au-1.cloudone.trendmicro.com
Canada: https://workload.ca-1.cloudone.trendmicro.com
Singapore: https://workload.sg-1.cloudone.trendmicro.com

If you would rather use SAML for all parts of Trend Cloud One rather than just for Workload Security, see About SAML single sign-on.

To use SAML single sign-on with Workload Security, you need to do the following:

Configure pre-set up requirements
Configure SAML in Workload Security
Provide information to your identity provider administrator
SAML claims structure
Test SAML single sign-on
Service and identity provider settings

Prerequisites

Ensure your Workload Security is functioning properly.
Contact the identity provider administrator to do the following:
- Establish a naming convention for mapping directory server groups to Workload Security roles.
- Obtain their identity provider SAML metadata document.
- Ask them to add any required user authentication access control features to their policy.
Support is available to assist with the following identity providers that have been tested in Workload Security with SAML single sign-on:
- Active Directory Federation Services (ADFS)
- Okta
- PingOne
- Shibboleth
- Microsoft Entra ID

Configure SAML in Workload Security

To configuring SAML in Workload Security, you need to perform a number of steps.

Import your identity provider's SAML metadata document

Your Workload Security account must have both administrator and Create SAML Identity Provider permissions.

On the Administration page, go to User Management → Identity Providers → SAML.
Click Get Started.
Click Choose File, select the SAML metadata document provided by your identity provider, and click Next.
Enter a Name for the identity provider, and then click Finish to transition to the Roles page.

Create Workload Security roles for SAML users

You need to create a role for each of your expected user types. Each role must have a corresponding group in your identity provider's directory server, and match the group's access permissions and tenant assignment.

Your identity provider's SAML integration has a mechanism to transform group membership into SAML claims. Consult the documentation that came with your identity provider to learn more about claim rules.

For information on how to create roles, see Define roles for users.

Provide information to your identity provider administrator

You can help the identity provider administrator create groups and rules that correspond to your Workload Security setup.

Download the Workload Security service provider SAML metadata document

On the Administration page, go to User Management → Identity Providers → SAML.
Under SAML Service Provider, click Download.

Your browser will download the Workload Security service provider SAML metadata document (ServiceProviderMetadata.xml).

Send URNs and the Workload Security SAML metadata document to the identity provider administrator

You need to give the identity provider administrator Workload Security's service provider SAML metadata document, the identity provider URN and the URN of each Workload Security role you created.

To view role URNs, go to Administration → User Management → Roles and look under the URN column. To view identity provider URNs, go to Administration → User Management → Identity Providers → SAML → Identity Providers and look under the URN column.

Once the identity provider administrator confirms they have created groups corresponding to the Workload Security roles and any required rules for transforming group membership into SAML claims, you are finished configuring SAML single sign-on.

If necessary, you can inform the identity provider administrator about the SAML claims structure required by Workload Security.

SAML claims structure

The following SAML claims are supported by Workload Security:

Workload Security username (required)
Workload Security user role (required)
Maximum session duration (optional)
Preferred language (optional)

Workload Security username (required)

The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName and a single AttributeValue element. Workload Security will use the AttributeValue as the Workload Security username.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName">
        <AttributeValue>alice</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Workload Security user role (required)

The claim must have an SAML assertion that contains An Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/Role and 1 to 10 AttributeValue elements.

Workload Security uses the attribute values to determine the tenant, identity provider, and role of the user. A single assertion may contain roles from multiple tenants.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/Role">
        <AttributeValue>urn:tmds:identity:[pod ID]:[tenant ID]:saml-provider/[IDP name],
            urn:tmds:identity:[pod ID]:[tenant ID]:role/[role name]</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

The line break in the AttributeValue element is present for readability; in the claim it must be on a single line.

Maximum session duration (optional)

If the claim has an SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration and an integer-valued AttributeValue element, the session will automatically terminate when that amount of time (in seconds) has elapsed.

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration">
        <AttributeValue>28800</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Preferred language (optional)

If the claim has a SAML assertion that contains an Attribute element with the Name attribute of https://deepsecurity.trendmicro.com/SAML/attributes/PreferredLanguage and a string-valued AttributeValue element that is equal to one of the supported languages, Workload Security will use the value to set the user's preferred language.

The following languages are supported:

en-US (US English)
ja-JP (Japanese)

Sample SAML data (abbreviated):

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <AttributeStatement>
      <Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/PreferredLanguage">
        <AttributeValue>en-US</AttributeValue>
      </Attribute>
    </AttributeStatement>
  </Assertion>
</samlp:Response>

Test SAML single sign-on

Navigate to the single sign-on login page on the identity provider server, and log in to Workload Security from there. You should be redirected to the Workload Security console.

If SAML single sign-on is not functioning, review the setup:

Review the Configure pre-set up requirements section.
Ensure that the user is in the correct directory group.
Ensure that the identity provider and role URNs are properly configured in the identity provider federation service.

Service and identity provider settings

You can set how far in advance Workload Security alerts you to the expiry date of the server and identity provider certificates, as well as how much time must pass before inactive user accounts added through SAML single sign-on are automatically deleted.

To change these settings, go to Administration → System Settings → Security → Identity Providers.