Views:

Prerequisites

Before you begin configuring AD FS, make sure that:

  • You have a Windows Server installed with AD FS 3.0 to serve as a federation server.
  • You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.

Setting ADFS

  1. On the ADFS server, go to Start > All Programs > Administrative Tools > ADFS Management.

    Administrative Tools

    Click the image to enlarge.

  2. On the AD FS management console, select the AD FS root folder, click on the Actions menu, and then choose

    Add Relying Party Trust

    .

    Add relying Party Trust

    Click the image to enlarge.

  3. Complete settings for each screen in the Add Relying Party Trust wizard.
    1. On the Welcome screen, click Start.

      Welcome Screen

      Click the image to enlarge.

    2. Select Enter data about the relying party manually, and then click Next.

      Data Source

      Click the image to enlarge.

    3. Specify a display name (e.g. Trend Micro Cloud App Security), and click Next.

      Display Name

      Click the image to enlarge.

    4. Select ADFS profile.

      ADFS Profile

      Click the image to enlarge.

    5. Click Next.
       
      No encryption certificate is required, and HTTPS will be used for communication between Trend Micro Cloud App Security and federation servers.
       

      Configure Certificate

      Click the image to enlarge.

    6. Select Enable support for the SAML 2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service URL, and then click Next.
       
      The SAML 2.0 SSO service URL is Cloud App Security_admin_site/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the SAML 2.0 SSO service URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.
       

      Enable SAML 2.0

      Click the image to enlarge.

    7. Provide the identifier in the Relying party trust identifier field, click Add, and then click Next.
       
      This is also referred to as Application Identifier on the Cloud App Security management console.
       

      Configure Identity Provider

      Click the image to enlarge.

    8. On the "Configure Multifactor Authentication Now?" screen, choose the default settings.
       
      The default setting is set to "I do not want to configure multi-factor authentication settings for the relying party trust at this time."
       

      Configure MFA

      Click the image to enlarge.

    9. Select Permit all users to access this relying party, and then click Next.

      Choose issuance rules

      Click the image to enlarge.

    10. Click Next.

      Add Trust

      Click the image to enlarge.

    11. Click Close.

      Setup Wizard complete

      Click the image to enlarge.

       
      Keep the option ticked to launch the Claim Rules window to proceed in adding rules to the newly-created Relying Party Trust.
       
  4. Once the "Edit Claim Issuance Policy for Trend Micro Cloud App Security Administrator Console" dialog box opens, go to the Issuance Transform Rules tab, and click Add Rule.

    Add Rule

    Click the image to enlarge.

  5. Complete settings for each screen in the Add Transform Claim Rule wizard.
    1. For the Claim rule template drop-down, select Send LDAP Attributes as Claims and click Next.

      Claim Rule

      Click the image to enlarge.

    2. On the Configure Rule tab, specify a claim rule name, and then select Active Directory from the Attribute store drop-down.
    3. Select the following LDAP attributes and specify an outgoing claim type for each attribute:
      LDAP AttributeOutgoing Claim TYpe
      E-Mail-AddressesE-Mail Address
      User-Principal-NameName

      Attribute Store

      Click the image to enlarge.

    4. Click Finish.
  6. Click Add Rule.

    Add Rule

    Click the image to enlarge.

  7. Complete settings on each tab of the Add Transform Claim Rule Wizard screen.
    1. From the Claim rule template drop-down, select Transform an Incoming Claim, and then click Next.
    2. On the Configure Claim Rule tab, specify the following:
      • Claim rule name: provide a claim rule name
      • Incoming claim type: select or type "E-Mail Address"
      • Outgoing name ID format: Email
    3. Select Pass through all claim values, and click Finish.

    Pass through all claims

    Click the image to enlarge.

  8. Click Apply, and then click OK. The newly-created rules will appear on the Issuance Transform Rules tab.

    Claim Rule List

    Click the image to enlarge.

  9. Collect the single sign-on logon and logoff URLs, and obtain a certificate for AD FS ignature validation on the Cloud App Security managemeng console.
    1. On the AD FS management console, go to AD FS > Service > Endpoints.

      Endpoints

      Click the image to enlarge.

    2. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL path.
       
      The URL path will be used when you configure logon and logoff URLs on Trend Micro Cloud App Security.
      • Logon URL: <adfs_domain_name>/adfs/ls/
      • Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0
       

      SAML

      Click the image to enlarge.

    3. Go to AD FS > Service > Certificates.

      Certificates

      Click the image to enlarge.

    4. Look for the Token-signing certificate, right-click it, and then select View Certificate.

      Token Signing

      Click the image to enlarge.

    5. Click the Details tab, and click Copy to File.

      Copy to file

      Click the image to enlarge.

    6. Using the Certificate export wizard, select Base-64 Encoded X.509 (.CER).

      Certificate Export Wizard

      Click the image to enlarge.

    7. Assign a name to the file to complete the export of the certificate into a file, and then click Next.

      Assign Name

      Click the image to enlarge.

    8. Click Finish.
       
      The exported certificate will be used when configuring single sign-on (SSO) in Trend Micro Cloud App Security (CAS) web console.
       
  10. Configure the authentication methods.
    1. On the AD FS management console, go to AD FS > Authentication Policies.

      Authenticatoin Policy

      Click the image to enlarge.

    2. Under the Authentication Policies area, click Edit next to Global Settings under Primary Authentication.

      Policy Overview

      Click the image to enlarge.

    3. On the Primary tab, select the following:
      • Under Extranet section:
        • Forms Authentication
        • Certificate Authentication
      • Under Intranet section:
        • Forms Authentication
        • Windows Authentication

      Edit Policy

      Click the image to enlarge.

    4. Click OK.
Keywords: configure ADFS as SSO provider for CAS,allow ADFS as identity provider for CAS SSO,enable ADFS as identifier for CAS SSO