Before specifying single sign-on (SSO) settings on the administrator console, configure the identity provider you choose for SSO, that is, AD FS 4.0, Microsoft Entra ID or Okta:
Gather required settings from your identity provider before setting up the administrator console.


  1. Go to AdministrationAdministrator ManagementLogon Methods.
  2. In the Single Sign-On section, click the toggle button to enable SSO.
  3. Click Add to create an SSO profile.
  4. Configure general information for SSO.
    1. Specify an SSO profile name.
    2. Specify an identifier that is globally unique at your site.
      The administrator console URL is generated.
      If you have to change the unique identifier due to conflict with another identifier, make sure you also change it in your identity provider configuration.
  5. Select the accounts to which the current profile applies:
    • All accounts: applies this profile to all accounts.
      You can create only one profile that is applied to all accounts.
    • Specified accounts: applies this profile to specified accounts.
      Select accounts from the Available pane and click Add > to add them to the Selected pane.
  6. Complete identity provider configuration for SSO.
    1. Select your identity provider from the Identity provider drop-down list.
    2. Specify the logon and logoff URLs for your identity provider.
      Use the logon URL collected from AD FS, Microsoft Entra ID or Okta configurations.
      The logoff URL logs you off and also terminates the current identity provider logon session.
    3. (For Okta only) Click Download Logoff Certificate to obtain the certificate file to upload to your federation server.
    4. Locate the certificate file you downloaded from AD FS, Microsoft Entra ID or Okta configurations and upload it for signature validation.
    5. Specify the identity claim type based on the claim you configured for AD FS, Microsoft Entra ID or Okta. For example, if you use email as the claim name, type email.
  7. Click Save to save the profile.
  8. Click Save to save SSO settings.
    Once you have completed the configuration, log on with an account using the administrator console URL generated in Step 4 to initiate SSO from the identity provider to the Trend Micro Email Security administrator console. The identity claim type specified in Step 6 is used to get the mapping claim value from your identity provider. In this case, Trend Micro Email Security obtains the email address of the logon account and checks if it matches the account email address you set before. If they are matched, you will be successfully logged on to the administrator console with the account.