Prerequisites

Before you begin configuring single sign-on on the Cloud App Security management console, make sure that:

• You have provisioned an Exchange Online, SharePoint Online, or OneDrive service account. For details, see Provisioning Office 365 Services.
• You are logged on to the management console as a Cloud App Security global administrator.

Cloud App Security currently supports the following identity providers for SSO:

• Microsoft Active Directory Federation Services (AD FS) 2.0 and 3.0
• Azure Active Directory (Azure AD) Premium Edition
• Okta

Setting up SSO

Cloud App Security supports seamless SAML-based single sign-on (SSO) using your corporate account credentials. After configuring SSO settings, administrators can use their Active Directory or Okta account credentials to single sign on to the Cloud App Security management console.

To connect Cloud App Security to your organization environment for SSO:

• Configure the identity provider you use for single sign-on (Azure AD tenant, AD FS federation server, or Okta).

  A federation server is a computer that runs a specialized web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. The federation server can be configured only for Intranet access to prevent exposure to the Internet.

   

  If you have a hybrid environment consisting of an Azure AD tenant and an on-premises AD FS federation server, Trend Micro recommends you configure and use Azure AD to ensure proper single sign-on to Cloud App Security.

   
• Specify SSO settings on the management console:
  • Microsoft Active Directory Federation Services (AD FS) 2.0 and 3.0
  • Azure Active Directory (Azure AD) Premium Edition
  • Okta

Follow the steps below to set up SSO from CAS web console:

1. Go to Administration > Single Sign-On.
2. Configure the general settings for single sign-on.
   1. Select Enable SSO.
   2. Choose the Identity Provider.
   3. Specify the Service URL. Depending on the identity provider you have configured, the Service URL is also referred to as:

      Identity Provider	Field Name
      Microsoft Azure AD Premium Edition	Login URL
      AD FS	https://example.com/adfs/ls
      Okta	Identity Provider Single Sign-On URL

   4. Specify the Application Identifier. Depending on the identity provider you have configured, the Application Identifier is also referred to as:

      Identity Provider	Field Name
      Microsoft Azure AD Premium Edition	Application ID
      AD FS	Relying party trust identifier
      Okta	Identity Provider Issuer

   5. Locate the Base-64 encoded X.509 certificate file you recorded in Okta, or downloaded in Azure AD configuration, or exported in AD FS configuration, and then copy and paste the content in the text box.
3. Click Save.

After configuring SSO settings, administrators added from your AD infrastructure or Okta organization can use their AD or Okta account credentials to single sign on to the management console. For details about how to add a user as an administrator, see Administrator and Role.