Prerequisites

Before performing the following steps, ensure that you have installed ADFS successfully.

Setting up SSO using ADFS

1. On the ADFS server, go to Start > All Programs > Administrative Tools > ADFS Management.

   

   ^{Click the image to enlarge.}

2. On the AD FS management console, select the AD FS root folder, click on the Actions menu, and then choose

   Add Relying Party Trust

   .

   

   ^{Click the image to enlarge.}

3. Complete settings for each screen in the Add Relying Party Trust wizard.
   1. On the Welcome screen, click Start.

      

      ^{Click the image to enlarge.}

   2. Select Enter data about the relying party manually, and then click Next.

      

      ^{Click the image to enlarge.}

   3. Specify a display name (e.g. Trend Micro Email Security Administrator Console), and click Next.

      

      ^{Click the image to enlarge.}

   4. Select ADFS profile.

      

      ^{Click the image to enlarge.}

   5. Click Next.
       

      No encryption certificate is required, and HTTPS will be used for communication between Trend Micro Email Security and federation servers.

       

      

      ^{Click the image to enlarge.}

   6. Select Enable support for the SAML 2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service URL, and then click Next.
        Note

      Specify the SAML 2.0 SSO service URL for your region using the following format:
      https://ui.<domain_name>/uiserver/subaccount/ssoAssert?cmpID=<unique_identifier>

      For the succeeding steps:

      • Replace <unique_identifier> with a unique identifier. Record the unique identifier, which will be used when you create an SSO profile on the Trend Micro Email Security administrator console.
      • Replace <domain_name> with any of the following based on your location:

        Region/Location	Domain
        North America, Latin America and Asia Pacific	tmes.trendmicro.com
        Europe, the Middle East and Africa	tmes.trendmicro.eu
        Australia and New Zealand	tmes-anz.trendmicro.com
        Japan	tmems-jp.trendmicro.com
        Singapore	tmes-sg.trendmicro.com

      

      ^{Click the image to enlarge.}

   7. Provide the identifier in the Relying party trust identifier field, click Add, and then click Next.

      

      ^{Click the image to enlarge.}

   8. On the Configure Multifactor Authentication Now? screen, choose the default settings.
       

      The default setting is set to "I do not want to configure multi-factor authentication settings for the relying party trust at this time."

       

      

      ^{Click the image to enlarge.}

   9. Select Permit all users to access this relying party, and then click Next.

      

      ^{Click the image to enlarge.}

   10. Click Next.

       

       ^{Click the image to enlarge.}

   11. Click Close.

       

       ^{Click the image to enlarge.}

        

       Keep the option ticked in order to launch the Claim Rules window to proceed in adding rules to the newly created Relying Party Trust.

        
4. Once the "Edit Claim Issuance Policy for Trend Micro Email Security Administrator Console" dialog box opens, go to the Issuance Transform Rules tab, and click Add Rule.

   

   ^{Click the image to enlarge.}

5. Complete settings for each screen in the Add Transform Claim Rule wizard.
   1. For the Claim rule template, select Send LDAP Attributes as Claims and click Next.

      

      ^{Click the image to enlarge.}

   2. On the Configure Rule screen, specify a claim rule name and select Active Directory for Attribute store.
   3. Select LDAP attributes and specify an outgoing claim type for each attribute (e.g. select E-Mail-Addresses, and type email as the outgoing claim type).
       

      When configuring the identity claim type for an SSO profile on Trend Micro Email Security, make sure you use the claim type specified here.

       
   4. Click Finish.

      

      ^{Click the image to enlarge.}

   5. Click Apply, and OK to close the wizard.

      

      ^{Click the image to enlarge.}

6. On the AD FS management console, go to AD FS > Relying Party Trust, double-click the relying party trust file that was created earlier.
   1. On the Test Properties dialog box, go to the Advanced tab.
   2. Select SHA1 from the Secure hash algorithm drop-down list and click OK.

      

      ^{Click the image to enlarge.}

7. Collect the single sign-on logon and logoff URLs, and obtain a certificate for signature validation from AD FS.
   1. On the AD FS management console, go to AD FS > Service > Endpoints.

      

      ^{Click the image to enlarge.}

   2. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL path.
       

      The URL path will be used when you configure logon and logoff URLs on Trend Micro Email Security.

      • Logon URL: <adfs_domain_name>/adfs/ls/
      • Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0

       

      

      ^{Click the image to enlarge.}

   3. Go to AD FS > Service > Certificates.

      

      ^{Click the image to enlarge.}

   4. Look for the Token-signing certificate, right-click it, and then select View Certificate.

      

      ^{Click the image to enlarge.}

   5. Click the Details tab, and click Copy to File.

      

      ^{Click the image to enlarge.}

   6. Using the Certificate export wizard, select Base-64 Encoded X.509 (.CER).

      

      ^{Click the image to enlarge.}

   7. Assign a name to the file to complete the export of the certificate into a file.

      

      ^{Click the image to enlarge.}

       

      The exported certificate will be used when configuring single sign-on (SSO) in Trend Micro Email Security (TMES) web console. The steps can be found in this article.