Configuring TMWS Settings in Azure AD

Procedure

1. Configure the SSO settings in Azure AD.
   1. On the Overview screen for TMWS, under Manage, click Single sign-on.
   2. On the Select a single sign-on method screen that appears, click SAML.
      The Set up Single Sign-On with SAML screen appears.
   3. Under Basic SAML Configuration, click Edit.
      The Basic SAML Configuration screen appears.
   4. Specify the following:
      • Identifier (Entity ID): Uniquely identifies TMWS for which single sign-on is being configured.
      • Reply URL (Assertion Consumer Service URL): Where TMWS expects to receive the authentication token.

      Copy and paste the information from the TMWS management console. You can get it under the Service Provider Settings for the Azure Admin Portal area on the Authentication Method screen for Azure AD from Administration → Directory Services → here.
   5. Click Save.
      A message appears to confirm that your settings were saved successfully.
   6. Close the Basic SAML Configuration screen.
   7. Under User Attributes & Claims, view and keep the attributes and claims pre-configured by Microsoft.

      Note A pre-defined name is configured in the Logon name attribute field on the TMWS management console. You can get it under the Identity Provider Settings area on the Authentication Method screen for Azure AD from Administration → Directory Services → here. You can use that name or specify a name as necessary. Make sure that the values in Azure AD and on TMWS both are identical.

   8. Under SAML Signing Certificate, perform either of the following to download a Base64 certificate:
      • Click the Download link for the Certificate (Base64) file.
      • Click Edit to create a new certificate.
        1. On the SAML Signing Certificate screen that appears, click New Certificate.
        2. Change the expiration date as necessary. Trend Micro recommends keeping the default settings as follows: Signing Option - Sign SAML assertion and Signing Algorithm - SHA-256.
        3. Click Save.
           A message appears to confirm that your settings were saved successfully.
        4. Click the three dots at the end of this certificate, select Make certificate active, and then click Yes.
           The newly created certificate becomes active.
        5. Close the SAML Signing Certificate screen, and under SAML Signing Certificate, Click the Download link for the Certificate (Base64) file.

      This downloads a file to your browser's specified download area. Later, you will upload the certificate file to TMWS.
   9. Under Set up Trend Micro Web Security(TMWS), record the URL in Login URL. Later, you will type the information into TMWS.
2. Assign users and groups to TMWS.
   1. On the Overview screen for TMWS, under Manage, click Users and groups.
   2. On the Users and groups screen that appears, click Add user.
      The Add Assignment screen appears.
   3. Click Users and groups.
   4. On the user and group list that appears in the right pane, select the users and groups that you want to assign to TMWS, and click Select and then Assign.
      A message appears to confirm that your settings were saved successfully.
3. Configure user and group synchronization settings in Azure AD.
   1. From the left navigation, click Azure Active Directory.
   2. Under Manage, click App registrations and then click Trend Micro Web Security(TMWS) under the Owned applications area.
   3. Under Manage, click Certificates & secrets.
   4. Under the Client secrets area that appears, click New client secret.
   5. On the Add a client secret screen that appears, optionally add a description and select an expiration period for this client secret, and then click Add.
      The newly added client secret appears under the Client secrets area.
   6. Record the value. Later, you will type the information into TMWS.
   7. Under Manage, click API permissions.
   8. On the API permissions screen that appears, click Add a permission.
   9. On the Microsoft APIs tab of the Request API permissions screen that appears, click Microsoft Graph and then Application permissions.
   10. Locate and add the following permissions:
       • Group.Read.All
       • User.Read.All
   11. Click Add permissions.
       A message appears to confirm that your settings were saved successfully. The newly added permissions appear on the API permissions screen.
   12. Under the Grant consent area, click Grant admin consent for <your administrator account> (Default Directory) and then Yes.
       A message appears to confirm that the admin consent for the requested permissions was successfully granted.
   13. Click Overview.
   14. In the right pane that appears, record the Application (client) ID and Directory (tenant) ID. Later, you will type the information into TMWS.
       You can also click Custom domain names under Azure Active Directory → Manage and record the domain name in the right pane.