Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Integrating Control Manager (TMCM) / Apex Central™ with Azure Active Directory (AAD)

    • Updated:
    • 2 Dec 2019
    • Product/Version:
    • Apex Central All.All
    • Apex One as a Service All.All
    • Control Manager 7.0
    • Platform:
    • Windows 2008
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter R2
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Enterprise R2
    • Windows 2008 R2
    • Windows 2008 Server
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2012 Datacenter
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Server
    • Windows 2012 Server R2
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2016
    • Windows 2016 Datacenter
    • Windows 2016 Server
    • Windows 2016 Standard
    • Windows 2019 Server
    • Windows Server 2012 32-Bit
    • Windows Server 2012 64-Bit
Summary

This article gives the procedure of integrating with Azure AD (AAD) and enable SSO from AAD to TMCM/Apex Central™. It can be applied to on-premise TMCM, Apex Central™ and Apex One™ as a Service.

Details
Public

Here is how it works in high level. Both Azure AD and Apex One as a Service\On-Premise TMCM need to integrate with On-Premise AD.

  • For Apex One as a Service:
    • Use the AD synchronization tool downloaded from Apex One as a Service to integrate it with On-Premise AD.
  • For on-premise TMCM/Apex Central:
    • Configure the AD synchronization with on-premise AD via web console.
  • Import the AD accounts which will do SSO from Azure AD to Apex One as a Service.
  • Use Azure AD Connect downloaded from Windows Azure to integrate Azure AD with on-premise AD.
  • Create a new application for SSO to Apex One as a Service in Azure AD.
  • Users can use the Azure AD to do SSO for Apex One as a Service.

Apex SSO

  1. Integrate AAD with on-premise AD by using "Azure AD Connect". For reference, visit this Microsoft article: Custom installation of Azure AD Connect.
  2. Go to AAD panel, and select Enterprise applications.
  3. Create a new application for every individual TMCM/Apex Central instance (Azure AD Premium require:
    1. Click New Application.

      All Applications

    2. Select Non-gallery applicationand set a display name for this TMCM/Apex Central application.

      Add an Application

    3. Under Application, select Single sign-on.

      Single Sign On

  4. Configure Single sign-on of TMCM/Apex Central application:
    1. Select SAML-based Sign-onas Sign on mode.

      SAML-SSO mode

    2. Configure SAML Settings:
      • Identifier (Entity ID): https://<host-to-your-ApexCentral>/
      • Reply URL: https://<host-to-your-ApexCentral>/WebApp/login.aspx

        Basic SAML Setting

      • Edit User Attributes & Claims, and click Add new claim to add custom attribute with following settings:

        User Attributes & Claims

        Manage Claim

        Manage Transformation

      • Name: windowsaccountname_TM
      • Value: NETBIOS domain account that Apex Central can recognize. It's typically under the form of "<domain>\<login-name>"
        For example: 'TEST43150\' + user.on-premisessamaccountname
      • Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims
    3. Download the AAD Certificate (Base64) for later use.

      Azure AD Certificate

    4. Check settings and save
    5. Assign AAD users wish to login Apex Central application.

      Add Users

  1. TMCM/Apex Central must be configured to integrate with on-premise AD first. For Apex One as a Service, please use the Active Directory synchronization tool to integrate the on-premise AD.
  2. Select and grant the AD Users/Groups who should be able to login from AAD to TMCM/Apex Central.
    • Go to Administration > Account Management > User Accounts > Add.
    • Select Active Directory user or group > search and select user / group > Next.

      User Information

    • Grant permission to the user, then click Save.

      Access Control

  3. Download the certificate from AAD enterprise application and upload to TMCM/Apex Central.
    1. On-premise TMCM/Apex Central: please set it into the SystemConfiguration.xml - m_ADFS_IdpServerCerificate manually.

      User Information

    2. Apex One™ as a Service: set the ADFS configuration on Apex Central™ web console

      Product Access Control

    3. Enable Active Directory authentication on Active Directory and Compliance Settings page.
    4. Get the information from AAD enterprise application page and set it to the ADFS configuration page.
      AD SettingsTMCM SSOConfigure Sign On
      Field Name on TMCM/Apex Central settings pageAzure AD SSO Attribute Name
      SSO service URLSAML Single Sign-On Service URL
      Server identifierSAML Entity ID
      Server certificateCertificate downloaded from AAD enterprise application
    5. Go to AAD setting panel > App registrations > Apex Central app > Settings.
    6. Check the App ID URI: https://&<host-to-your-ApexCentral>.

      Registered TMCM

1.1. IdP Initiated SSO

  1. Login to http://myapps.microsoft.com.
  2. Go to the access panel, and start the SSO connection.

    Start SAML

1.2. SP Initiated SSO (Apex One™ as a Service only)

  1. Enter the AD account credentials in the Apex One™ as a Service only login console.

    TMCM Login

  2. After clicking out of the Username field, the browser will redirect to Azure login page.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1120631
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.