Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Creating claim rules on ADFS for Deep Security Smart Check SAML integration

    • Updated:
    • 2 Sep 2021
    • Product/Version:
    • Deep Security
    • Platform:
Summary

These steps apply after enabling SAML in Smart Check and importing service and identity provider metadata in ADFS and Smart Check. Refer to this Cloud One article on how to import the metadata XML.

After successfully importing Smart Check metadata XML to ADFS, you should see the following on ADFS:

Module state

Once this is set, you are ready to create the claim rules.

Details
Public
  1. Create Smart Check Admin group on Active Directory and add users to the group.
    Note that in this example "SmartCheck-Admin" as group name is used. You may change this to any name but make sure to change the value on Step 2.C as well.

    Module state

  2. Create Claim Rules.
    Under AD FS Management console > Trust Relationships > Relying Party Trust, right-click smartcheck then select "Edit Claim Rules...". Under "Issuance Transform Rules" tab click Add Rule... then create the following Claim Rules:
    1. RoleSessionName
      Enter the following:
      Claim Rule TemplateSend LDAP Attributes as Claim
      Claim Rules NameRoleSessionName
      Attribute StoreActive Directoy
      LDAP AttributeDisplay-Name
      Outgoing Claim Typehttps://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName

      Module state

    2. Extract AD Group.
      Claim Rule templateSend Claims Using a custom rule
      Claim rule nameGet AD Groups
      Custom rulec:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
       => add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);

      Module state

    3. Map AD group to Smart Check role.
      Below is where you can change the AD Group. "SmartCheck-Admin" is used in this example. You can also change the Smart Check roles. The default roles are "administrator", "auditor", and "user".
      Claim Rule templateSend Claims Using a custom rule
      Claim rule nameRoles
      Custom ruleEXISTS([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value == "SmartCheck-Admin"])
       => issue(Type = "https://deepsecurity.trendmicro.com/SAML/Attributes/Role", Value = "administrator");

      Module state

    4. Set SAML assertion.
      Claim Rule TemplateTransform an Incoming Claim
      Claim Rules NameTransform
      Incoming Claim TypeWindows account name
      Outgoing Claim TypeName ID
      Outgoing name ID formatPersistent Identifier
      Radio buttonPass trough all claim values

      Module state

      Claim rules output:

      Module state

  3. Login using ADFS URL https://[ADFS-server hostname]/adfs/ls/IdpInitiatedSignon.aspx.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000288762
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.