Views:

Since TMWS 3.2, the integration already includes a predefined app from Azure gallery. Hence, there is no need to reconfigure claims for Azure AD integration. In order to complete the configuration, do the following:

  1. Sign in to the Azure portal using Microsoft account.
  2. On the left panel, select Azure Active Directory service.
  3. Select Enterprise applications. From the Application Type drop-down, select All applications.
  4. Click New Application to add new application.
  5. From the Add from the gallery section, enter Trend Micro Web Security (TMWS) in the search box.
  6. Select Trend Micro Web Security (TMWS) from the search results.
  7. Click Create to add app to your tenant. After adding, verify if app is added to your tenant. When searching for the app, it should show as follows:

    check if app is added

This step includes establishing link between Azure AD user and configuration settings from TMWS side. For global deployment, you may not need to create a test user but in this case, we will create a test user.

  1. From the Azure portal, on the Trend Micro Web Security (TMWS) application integration page, select Set up single sign-on.

    Set up single sign-on

     

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up Single Sign-On with SAML page, select the pen icon for Basic SAML Configuration to edit the settings.

    Edit Settings

  4. In the Basic SAML Configuration section, enter the values in the following fields:

     
    The Identifier (Entity ID) and Reply URL can be retrieved from TMWS web console. Go to Administration then Directory Services and look for the "Click here to change the authentication method." Select Azure AD and scroll down to Service Provider Settings for the Azure Admin Portal.
     
    1. In the Identifier (Entity ID) field, enter the actual identifier.

    2. In the Reply URL field, enter this URL: https://auth.iws-hybrid.trendmicro.com/simplesaml/module.php/saml/sp/saml2-acs.php/ics-sp

      Enter URL

  5. Take note of the attributes from the SAML settings.

     
    Trend Micro Web Security (TMWS) expects the SAML restrictions in a specific format. The two (2) attributes: sAMAccountName and uPN are attributes being passed back in the SAML response, this are pre-populated but can be changed to meet your requirements.
     

    attributes

  6. Go back to the Set up single sign on with SAML page. From the SAML Signing Certificate section, choose Certificate (Base 64). Click on the Download link next to the certificate name to download the certificate. This will be used later on the TMWS web console.

    click on the Download link

  7. Scroll down and look for Set up Trend Micro Web Security (TMWS) section, copy the appropriate URLs as follows:

    copy the URLs

  1. In the left pane of the Azure portal, select Azure Active Directory. Select Users.
  2. Select New User at the top of the screen.

  3. In the User properties, follow these steps:

    1. In the Name section, specify the details needed such as identity, password, groups and roles, settings and job info.
    2. Take note of the details.

    3. Click Create.

       
      In this example, we will be using Christian Dela Cruz as the test user.
       

      Create an Azure AD test user

  1. In the Azure portal, select Enterprise applications, then select All applications.
  2. In the applications list, select Trend Micro Web Security (TMWS).
  3. From the app's overview page, select Assign users and groups.
  4. Select Add user, then select Users and Groups in the Add Assignment dialog box.
  5. In the Users and groups dialog box, select the test user created from the Users list then click Select at the bottom of the screen.
  6. If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role for the user from the list and then click Select at the bottom of the screen.

  7. In the Add Assignment dialog box, select Assign.

    Grant Azure AD test user access to TMWS

  1. In the left pane, select Azure Active Directory.
  2. From the left panel, select App registrations then, under All applications, select Trend Micro Web Security .
  3. From the left panel, select Certificates & secrets.
  4. In the Client secrets area, select New client secret.
  5. On the Add a client secret screen, optionally add a description and select an expiration period for the client secret then select Add. The new client secret appears in the Client secrets area.

  6. Record the client secret value. Later, you will enter it into TMWS web console.

    Configure user and group synchronization settings

  7. From the left panel, select API permissions.
  8. In the API permissions window, select Add a permission.

  9. On the Microsoft APIs tab of the Request API permissions window, select Microsoft Graph and then Application permissions.

    Add permissions

  10. Locate and add these permissions:

    • Group.Read.All
    • User.Read.All

  11. Select Add a permission. The new permissions appear in the API permissions window.

    Select Add a permission

  12. In the Grant consent area, select Grant admin consent for your administrator account (Default Directory), and then select Yes.

    Grant consent

  13. From the left pane, select Overview. Record the Application (client) ID and Directory (tenant) ID that you see in the right pane. Later, you will enter that information into TMWS.

    Overview

  1. Log in to the TMWS web console. Go to Administration > USERS & AUTHENTICATION > Directory Services. For the Authentication Method, click the here link to change it.

    Overview

  2. On the Authentication Method page, select Azure AD.

  3. Select On or Off to configure whether to allow Azure AD users in your organization to visit websites through TMWS if their data is not synchronized with TMWS.

    Select On or Off

     
    Note that users who are not synchronized from Azure AD can be authenticated only through gateways registered to TMWS or the dedicated port for your organization.
     

  4. In the Identity Provider Settings section, complete these steps:

    1. In the Service URL field, enter the Login URL value that you copied from the Azure portal.
    2. In the Logon name attribute field, enter the User claim name with the user.onpremisessamaccountname source attribute from the Azure portal. By default this is the sAMAccountName.

    3. In the Public SSL certificate field, use the downloaded Certificate (Base64) from the Azure portal.

      Public SSL certificate

  5. Configure the Synchronization Settings as follows:
    1. In the Tenant field, enter the Directory (tenant) ID or Custom domain name value from the Azure portal.
    2. In the Application ID field, enter the Application (client) ID value from the Azure portal.
    3. In the Client secret value, enter Value one the Client secret screen from the Azure portal.
    4. Select Synchronization schedule to synchronize with Azure AD manually or according to a schedule. If you select Manually, whenever there are changes to Active Directory user information, remember to go back to the Directory Services page and perform manual synchronization so that information in TMWS remains current.

    5. Select Save.

      Synchronization Settings

In order to verify that the setup was completed successfully, you can perform the following steps to test SSO.

  1. Open any browser of your choice. Make sure to clear the cache.
  2. Visit any internet website. TMWS should direct you to captive portal.
  3. Using the test user Azure AD account (in email address format) type it on the username field.
  4. In the Azure AD sign-in webpage, enter your credentials. You should now be signed in to TMWS.
  5. In order to verify this, you may access this link diagnose.iws-hybrid.trendmicro to verify the connection and user logged in to TMWS.

    verify setup

Keywords: Azure Active Directory,AD,SSO,integrating Azure AD,TMWS,TM Web Security,Prerequisites,step-by-step,Configure Azure AD SSO,SAML,authentication,Premium account,P1,P2