Prerequisites
Before you begin configuring Azure AD, make sure that:
- You have a valid subscription with an Azure AD edition license (Free, Basic, or Premium) that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.
- You are logged on to the management console as a Cloud App Security global administrator.
Using Azure AD Premium Edition
- Sign in to the Azure management portal at https://portal.azure.com using your Azure AD administrator account.
- On the Microsoft Azure main page, click Azure Active Directory.
- From the left navigation, go to Enterprise applications > New application.
- If the Browse Azure AD Gallery (Preview) screen opens, click Click here to switch back to the legacy app gallery experience.
- Under Add an application, click Non-gallery application.
- Under the Add your own application area that appears, specify the display name for Cloud App Security in the Name text box (e.g. Trend Micro Cloud App Security) and then click Add.
The Overview screen of the newly added application should appear.
- Under the Getting Started area, click Set up single sign-on.
- Select SAML as the single sign-on method.
- On the SAML-based Sign-on screen, click the Edit icon, specify the following for your Cloud App Security tenant into Azure AD on the Basic SAML Configuration screen that appears, and then click Save.
- Identifier: This uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.
Specify the identifier based on your serving site:
Serving Site Identifier EU https://admin-eu.tmcas.trendmicro.com UK https://admin.tmcas.trendmicro.co.uk Japan https://admin.tmcas.trendmicro.co.jp US https://admin.tmcas.trendmicro.com Australia/New Zealand https://admin-au.tmcas.trendmicro.com Canada https://admin-ca.tmcas.trendmicro.com Singapore https://admin.tmcas.trendmicro.com.sg India https://admin-in.tmcas.trendmicro.com - Reply URL: This is where Cloud App Security expects to receive the SAML token.
Specify the identifier based on your serving site:
The configuration should look like this:
- Identifier: This uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.
- On the Cloud App Security Console, go to Administration > Single Sign-On Settings and then configure the general settings for single sign-on:
- Select "Enable SSO".
- Select the identity provider in Identity Provider.
- Specify the service URL.
Depending on the Azure AD, it's the AD FS or Okta you configured.
- Specify the application identifier.
Depending on the Azure AD, it's the AD FS or Okta you configured.
- Go to the Overview screen and record Application ID under the Properties screen. This is also referred to as Application Identifier on the Cloud App Security management console.
- Click Single sign-on and record Login URL under the Set up <Your application name> area. This is also referred to as Service URL on the Cloud App Security management console.
- Under SAML Signing Certificate, click Certificate (Base64) to download a certificate file for Azure AD signature validation on Cloud App Security when it receives SAML tokens issued by Azure AD.
If a new SAML certificate is needed, refer to Creating a new SAML certificate in Microsoft Azure AD.
- Click Save.
- From the left navigation, click Users and groups and then Add user/group.
- Under Add Assignment, click Users or Users and groups based on your Active Directory plan level.
- Under the Users or Users and groups area that appears, select the users or groups to allow single sign-on to the Cloud App Security management console, click Select and then Assign.
- Click Single sign-on from the left navigation and then click Test at the bottom of the screen.
- On the Test single sign-on with <your application name> screen that appears, click Sign in as current user or Sign in as someone else if necessary.