Views:
Microsoft Entra ID is Microsoft's multi-tenant cloud based directory and identity management service.
This section describes how to configure Microsoft Entra ID as a SAML (2.0) identity provider for Cloud App Security to use.
Before you begin configuring Microsoft Entra ID, make sure that:
  • You have a valid subscription with an Microsoft Entra ID Premium edition license that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.
    Important
    Important
    Cloud App Security has already stopped supporting SSO for the Microsoft Entra ID Free and Basic editions because these editions do not support certificate-based communication, which can incur security risks.
    If you have already configured SSO for an Microsoft Entra ID Free or Basic edition, you can still use SSO to log on to Cloud App Security, but you cannot modify the existing SSO settings.
  • You are logged on to the management console as a Cloud App Security global administrator.

Procedure

  1. Sign in to the Azure management portal at https://portal.azure.com using your Microsoft Entra ID administrator account.
  2. On the Microsoft Azure main page, click Microsoft Entra ID. On first use, click More services and find Microsoft Entra ID.
  3. From the left navigation, go to Enterprise applicationsNew application.
  4. (Optional) If the Browse Microsoft Entra ID Gallery (Preview) screens opens, click Click here to switch back to the old app gallery experience..
  5. Under Add an application, click Non-gallery application.
  6. Under the Add your own application area that appears, specify the display name for Cloud App Security in the Name text box, for example, Trend Micro Cloud App Security, and then click Add.
    The Overview screen of the newly added application appears.
  7. Under the Getting Started area, click Set up single sign on.
  8. Select SAML as the single sign-on method.
    Note
    Note
    Cloud App Security uses SAML 2.0 for single sign-on.
  9. On the SAML-based Sign-on screen, click the Edit icon, specify the following for your Cloud App Security tenant into Microsoft Entra ID on the Basic SAML Configuration screen that appears, and then click Save.
    • Identifier: Uniquely identifies Cloud App Security for which single sign-on is being configured. Microsoft Entra ID sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.
      Note
      Note
      The identifier is the Cloud App Security logon URL of your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the identifier is https://admin-eu.tmcas.trendmicro.com.
    • Reply URL: Where Cloud App Security expects to receive the SAML token.
      Note
      Note
      The reply URL is {Cloud App Security_admin_site}/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the reply URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.
    Note
    Note
    Perform step 9 or step 10 based on your need.
  10. Under SAML Signing Certificate, click Certificate (Base64) to download a certificate file for Microsoft Entra ID signature validation on Cloud App Security when it receives SAML tokens issued by Microsoft Entra ID.
  11. (Optional) Create a new certificate as follows:
    1. Click the Edit icon, and on the SAML Signing Certificate screen that appears, click New Certificate.
    1. Specify the following and then click Save.
      • Expiration Date: the date when the certificate will expire.
      • Signing Option: Select Sign SAML assertion as the part of the SAML token to be digitally signed by Microsoft Entra ID.
      • Signing Algorithm: Select SHA-256 as the signing algorithm used by Microsoft Entra ID to sign SAML tokens.
      • Notification Email Addresses: Automatically filled in with your Microsoft Entra ID administrator account name, which is the email address that receives a notification message when the active signing certificate approaches its expiration date.
    2. Click the three dots at the end of the certificate and then select Make certificate active.
  12. Record the following:
    • Go to the Overview screen and record Application ID under the Properties screen. This is also referred to as Application Identifier on the Cloud App Security management console.
    • Click Single sign-on and record Login URL under the Set up <Your application name> area. This is also referred to as Service URL on the Cloud App Security management console.
  13. From the left navigation, click Users and groups and then Add user/group.
  14. Under Add Assignment, click Users or Users and groups based on your Active Directory plan level.
  15. Under the Users or Users and groups area that appears, select the users or groups to allow single sign-on to the Cloud App Security management console, click Select and then Assign.
    The selected users and groups appear on the Users and groups screen.
  16. (Optional) Test single sign-on with your application after you complete configuring single sign-on on the Cloud App Security management console:
    1. Click Single sign-on from the left navigation and then click Test at the bottom of the screen.
    2. On the Test single sign-on with <your application name> screen that appears, click Sign in as current user or Sign in as someone else as necessary.
    The user is automatically logged on to the Cloud App Security management console.