Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Integrating Control Manager (TMCM), Apex Central or Apex One as a Service with Okta

    • Updated:
    • 10 Apr 2019
    • Product/Version:
    • Apex Central 2019
    • Apex One as a Service
    • Control Manager 7.0
    • Platform:
    • Windows 2008
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter R2
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Enterprise R2
    • Windows 2008 R2
    • Windows 2008 Server
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2012 Datacenter
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Server
    • Windows 2012 Server Essentials
    • Windows 2012 Server R2
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 2016
    • Windows 2016 Datacenter
    • Windows 2016 Server
    • Windows 2016 Standard
    • Windows 2019 Server
Summary

Okta is a service which offers secure identity management and single sign-on to any application.

This article gives the procedure of integrating with Okta, and this procedure can be applied on on-premise TMCM, Apex Central and Apex One as a Service.

Based on the content of this article, it is also possible that customers can figure out how to connect to other Identity Providers (IDP).

Details
Public
  1. Integrate Okta with AD. Do the following:
    1. Go to Directory > Directory integrations page.
    2. Click Add Active Directory, then follow the instructions provided.

    Add Active Directory

  2. Go to Directory > Profile Editor page.

    Configure the AD user profile mappings to enable the Okta account attributes, and be able to convert into a NETBIOS domain user account name.

    1. Go to Okta user profile.

      Okta Profile Editor

    2. Add the custom string "samAccountName" in Okta user profile.

      Okte Profile Account Attribute

    3. Go to AD profile mappings.

      Profile Map options

    4. Select "samAccountName" in AD and map it to "samAccountName" in okta user profile.

      User Profile Mappins

  3. Create a new application for every individual Apex Central or TMCM instance.
    1. Select SAML 2.0 as the Sign on method.

      SAML 2.0 Sign-on Method

    2. Provide the information under General Settings.

      General Settings

    3. Configure SAML Settings (IMPORTANT)
      • Single sign on URL: https://<host-to-your-TMCM>/WebApp/login.aspx
      • Audience URI: https://<host-to-your-TMCM>/WebApp/login.aspx
      • Add one customized attribute:
        Attribute name: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
        Value: NETBIOS domain account name that TMCM can recognize. It is typically under the form of "<your_domain>\<login_name>"
        For example: 'WIN2016-AD\' + user.samAccountName

        SAML Settings

    4. Download the Okta Certificate and rename the file extension from .cert to .cer for later use (CM will check file extension).

      Download Certificate

    5. Save the changes.
    6. Assign AD users who can login to TMCM.

      Assign Users

  1. Apex Central / TMCM must be configured to integrate with on-premise AD first.
    For Apex One as a Service, please use the Active Directory synchronization tool to integrate the on-premise AD.
  2. Select and grant the AD Users/Groups who should be able to login from Okta to TMCM. Do the following:
    1. Go to Administration > Account Management > User Accounts > Add.
    2. Select Active Directory user or group > search and select user/group > Next.

      User Information

    3. Specify the folder access rights to the user, then click Save.

      Specify User Permissions

  3. Download the certificate from Okta application and upload to TMCM.
    • On-premise TMCM: please set it into the SystemConfiguration.xml - m_ADFS_IdpServerCerificate manually.
    • Apex One as a Service: set the ADFS configuration on Apex Central web console.
      1. Go to the Active Directory and Compliance Settings page, then tick Enable Active Directory authentication.
      2. Upload the Server certificate. (The SSO service URL and Server identifier fields cannot be blank)
      3. Click Save.

      Disable AD Authentication

  4. Disable AD authentication after Server certificate was set.
Initiate the SAML connection by logging in with a user who is granted with the access to the TMCM service. Click the application TMCM to initiate a single sign on to the TMCM.

SAML Connection

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1120189
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.