This article shows the steps and detailed instructions in integrating Azure AD with Trend Micro Web Security (TMWS). After following steps, users can be signed in to TMWS using their Azure AD accounts. From the Azure portal, users can also be managed and assigned to be used for TMWS authentication.
- A valid subscription with the Azure AD Premium P1 or P2 edition.
- You are logged on to the management console as an TMWS administrator.
- You have a Global Admin or Co-admin account in Azure.
Since TMWS 3.2, the integration already includes a predefined app from Azure gallery. Hence, there is no need to reconfigure claims for Azure AD integration. In order to complete the configuration, do the following:
- Sign in to the Azure portal using Microsoft account.
- On the left panel, select Azure Active Directory service.
- Select Enterprise applications. From the Application Type drop-down, select All applications.
- Click New Application to add new application.
- From the Add from the gallery section, enter Trend Micro Web Security (TMWS) in the search box.
- Select Trend Micro Web Security (TMWS) from the search results.
Click Create to add app to your tenant. After adding, verify if app is added to your tenant. When searching for the app, it should show as follows:
This step includes establishing link between Azure AD user and configuration settings from TMWS side. For global deployment, you may not need to create a test user but in this case, we will create a test user.
From the Azure portal, on the Trend Micro Web Security (TMWS) application integration page, select Set up single sign-on.
- On the Select a single sign-on method page, select SAML.
On the Set up Single Sign-On with SAML page, select the pen icon for Basic SAML Configuration to edit the settings.
In the Basic SAML Configuration section, enter the values in the following fields:The Identifier (Entity ID) and Reply URL can be retrieved from TMWS web console. Go to Administration then Directory Services and look for the "Click here to change the authentication method." Select Azure AD and scroll down to Service Provider Settings for the Azure Admin Portal.
Take note of the attributes from the SAML settings.Trend Micro Web Security (TMWS) expects the SAML restrictions in a specific format. The two (2) attributes: sAMAccountName and uPN are attributes being passed back in the SAML response, this are pre-populated but can be changed to meet your requirements.
Go back to the Set up single sign on with SAML page. From the SAML Signing Certificate section, choose Certificate (Base 64). Click on the Download link next to the certificate name to download the certificate. This will be used later on the TMWS web console.
Scroll down and look for Set up Trend Micro Web Security (TMWS) section, copy the appropriate URLs as follows:
- In the left pane of the Azure portal, select Azure Active Directory. Select Users.
- Select New User at the top of the screen.
In the User properties, follow these steps:
- In the Azure portal, select Enterprise applications, then select All applications.
- In the applications list, select Trend Micro Web Security (TMWS).
- From the app's overview page, select Assign users and groups.
- Select Add user, then select Users and Groups in the Add Assignment dialog box.
- In the Users and groups dialog box, select the test user created from the Users list then click Select at the bottom of the screen.
- If you expect a role value in the SAML assertion, in the Select Role dialog box, select the appropriate role for the user from the list and then click Select at the bottom of the screen.
In the Add Assignment dialog box, select Assign.
- In the left pane, select Azure Active Directory.
- From the left panel, select App registrations then, under All applications, select Trend Micro Web Security .
- From the left panel, select Certificates & secrets.
- In the Client secrets area, select New client secret.
- On the Add a client secret screen, optionally add a description and select an expiration period for the client secret then select Add. The new client secret appears in the Client secrets area.
Record the client secret value. Later, you will enter it into TMWS web console.
- From the left panel, select API permissions.
- In the API permissions window, select Add a permission.
On the Microsoft APIs tab of the Request API permissions window, select Microsoft Graph and then Application permissions.
Locate and add these permissions:
Select Add a permission. The new permissions appear in the API permissions window.
In the Grant consent area, select Grant admin consent for your administrator account (Default Directory), and then select Yes.
From the left pane, select Overview. Record the Application (client) ID and Directory (tenant) ID that you see in the right pane. Later, you will enter that information into TMWS.
Log in to the TMWS web console. Go to Administration > USERS & AUTHENTICATION > Directory Services. For the Authentication Method, click the here link to change it.
- On the Authentication Method page, select Azure AD.
Select On or Off to configure whether to allow Azure AD users in your organization to visit websites through TMWS if their data is not synchronized with TMWS.Note that users who are not synchronized from Azure AD can be authenticated only through gateways registered to TMWS or the dedicated port for your organization.
In the Identity Provider Settings section, complete these steps:
- In the Service URL field, enter the Login URL value that you copied from the Azure portal.
- In the Logon name attribute field, enter the User claim name with the user.onpremisessamaccountname source attribute from the Azure portal. By default this is the sAMAccountName.
In the Public SSL certificate field, use the downloaded Certificate (Base64) from the Azure portal.
In the Synchronization Settings section, do the following:
- In the Tenant field, enter the Directory (tenant) ID or Custom domain name value from the Azure portal.
- In the Application ID field, enter the Application (client) ID value from the Azure portal.
- In the Client secret field, enter the Client secret from the Azure portal.
- Select Synchronization schedule to synchronize with Azure AD manually or according to a schedule. If you select Manually, whenever there are changes to Active Directory user information, remember to go back to the Directory Services page and perform manual synchronization so that information in TMWS remains current.
In order to verify that the setup was completed successfully, you can perform the following steps to test SSO.
- Open any browser of your choice. Make sure to clear the cache.
- Visit any internet website. TMWS should direct you to captive portal.
- Using the test user Azure AD account (in email address format) type it on the username field.
- In the Azure AD sign-in webpage, enter your credentials. You should now be signed in to TMWS.
In order to verify this, you may access this link diagnose.iws-hybrid.trendmicro to verify the connection and user logged in to TMWS.