Using Azure AD Premium Edition

  1. From the left navigation, click Azure Active Directory, and then go to Enterprise applications > New application.
  2. Under Categories, click Security and then Non-gallery application.
  3. Under the Add your own application area that appears, specify the display name for Cloud App Security in the Name text box, for example, Trend Micro Cloud App Security, and then click Add.
  4. On the Quick start screen that appears, click Single sign-on or Configure single sign-on.
  5. Select SAML-based Sign-on from the Single Sign-on Mode drop-down list.

    Cloud App Security uses SAML 2.0 for single sign-on.

  6. Specify the following for your Cloud App Security tenant into Azure AD:
    • Identifier: Uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.

    • Reply URL: Where Cloud App Security expects to receive the SAML token.


      Specify the reply URL based on your serving site:

      Serving Site

      Reply URL



      U.S. (global)

      Australia and New Zealand

  7. Select user.userprincipalname from the User Identifier drop-down list to uniquely identify users in Cloud App Security.
  8. Under SAML Signing Certificate, click Certificate (Base64) to download a certificate file for Azure AD signature validation on Cloud App Security when it receives SAML tokens issued by Azure AD.
  9. Select the Make new certificate active check box.

    If the check box does not appear, continue to complete the steps that follow, and then come back to proceed with this step and save the settings again.

  10. Select the Show advanced certificate signing settings check box and specify the following:
    • Signing Option: Select Sign SAML assertion as the part of the SAML token to be digitally signed by Azure AD.

    • Signing Algorithm: Select SHA-256 as the signing algorithm used by Azure AD to sign SAML tokens.

    • Notification Email: Automatically filled in with your Azure AD administrator account name, which is the email address that receives a notification message when the active signing certificate approaches its expiration date.

  11. Click Configure <Your application name>, and record the URL in SAML Single Sign-On Service URL. This is also referred to as Service URL on the Cloud App Security management console.
  12. Click Save.
  13. Go to Enterprise applications > All applications, and click the newly added application on the right side of the page.
  14. Click Users and groups and then Add user.
  15. Under Add Assignment, click Users and groups.
  16. Under the Users and groups area that appears, select the users or groups to allow single sign-on to the Cloud App Security management console, click Select and then Assign.