Prerequisites
Make sure you have a valid subscription in Azure AD that handles the sign-in process and eventually provides the authentication credentials of subaccounts to the administrator console.
Setting up Azure Active Directory
- Log in to the Azure AD Admin Center, then select an active directory that you want to implement SSO.
- Click Enterprise applications in the navigation area on the left.
Click the image to enlarge.
- Click Add > Enterprise application.
- On the Browse Azure AD Gallery screen, click Create your own application.
- Specify a name for your application (e.g. Trend Micro Email Security Administrator Console).
- Select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
Click the image to enlarge.
- Under the Getting Started section, click Assign users and groups.
- Click Add user/group, specify the user or group for this application, click Select, and then click Assign.
When needed, repeat the same steps to assign the application to more users.
- In the navigation area of your application, click Single sign-on.
- Click SAML to configure the connection from your application to Azure AD using the SAML protocol, then do the following:
Click the image to enlarge.
- Configure the Basic SAML Configuration. Do the steps below:
- Under Basic SAML Configuration, click Edit.
- Specify the identifier and reply URL:
- Identifier (Entity ID): https://ui.<domain_name>/uiserver/subaccount/ssoLogin
- Reply URL (Assertion Consumer Service URL): https://ui.<domain_name>/uiserver/subaccount/ssoAssert?cmpID=<unique_identifier>
- Replace <unique_identifier> with a unique identifier. Record the unique identifier, which will be used when you create an SSO profile on the Trend Micro Email Security administrator console.
- Replace <domain_name> with any of the following based on your location:
- North America, Latin America and Asia Pacific: tmes.trendmicro.com
- Europe, the Middle East and Africa: tmes.trendmicro.eu
- Australia and New Zealand: tmes-anz.trendmicro.com
- Japan: tmems-jp.trendmicro.com
- Singapore: tmes-sg.trendmicro.com
Click the image to enlarge.
- Click Save.
- Select No, I'll test later when prompted to test the single sign-on with Trend Micro Email Security Administrator Console. It is recommended to perform a test after all SSO settings are complete.
- Configure the Attributes & Claims. If the email addresses in your organization are defined by another source attribute, do the following:
- Under Attributes & Claims, click Edit.
- Click Add new claim. This will open the Manage claim screen.
- Configure the following fields:
- Claim Name: specify claim name
- Namespace: leave empty
- Source: Attribute
- Source Attribute: select a value from drop-down list.
- When configuring the identity claim type for an SSO profile on Trend Micro Email Security, make sure you use the claim name specified here.
- User attributes and claims are used to get the email addresses of logon subaccounts to authenticate their identity. By default, the source attribute user.mail is preconfigured to get the email addresses.
- Click Save.
- Configure the SAML Signing Certificate, perform the following:
- Under SAML Signing Certificate, click Edit.
- Specify an email address for the Notification Email Addresses field.
- Click Save.
- Under SAML Signing Certificate, click the Download link for Certificate (Base64). This will download a certificate file which will be used for Azure AD signature validation on Trend Micro Email Security.
The downloaded certificate will be used when setting up SSO from the Trend Micro Email Security web console.
- Under Set up Trend Micro Email Security Administrator Console, take note of the login and logout URLs.
Click the image to enlarge.
The URLs will be used when setting up SSO from the Trend Micro Email Security web console .
- Configure the Basic SAML Configuration. Do the steps below:
Make sure that the user/s you have assigned from Step 8, is added under Administration > Administrator Management > Account Management in order to use it for SSO login.