Views:
Active Directory Federation Services (AD FS) provides support for claims-aware identity solutions that involve Windows Server and Active Directory technology. AD FS supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
This section uses Windows 2016 as an example to describe how to configure AD FS as a SAML server to work with Cloud Email Gateway Protection. Make sure you have installed AD FS successfully.

Procedure

  1. Go to StartAll ProgramsWindows Administrative ToolsAD FS Management.
  2. On the AD FS management console, go to AD FS, right-click Relying Party Trusts, and then choose Add Relying Party Trust.
  3. Complete settings for each screen in the Add Relying Party Trust wizard.
    1. On the Welcome screen, select Claims aware and click Start.
    2. On the Select Data Source screen, select Enter data about the relying party manually and click Next.
    3. On the Specify Display Name screen, specify a display name, for example, Trend Micro Email Security End User Console, and click Next.
    4. On the Configure Certificate screen, click Next.
      Note
      Note
      No encryption certificate is required, and HTTPS will be used for communication between Cloud Email Gateway Protection and federation servers.
    5. On the Configure URL screen, select Enable support for the SAML 2.0 WebSSO protocol, type the relying party SAML 2.0 SSO service URL, and then click Next.
      Note
      Note
      Specify the SAML 2.0 SSO service URL for your region as follows:
      https://euc.<domain_name>/uiserver/euc/ssoAssert?cmpID=<unique_identifier>
      In the preceding and following URLs:
      • Replace <unique_identifier> with a unique identifier. Record the unique identifier, which will be used when you create an SSO profile on the Cloud Email Gateway Protection administrator console.
      • Replace <domain_name> with any of the following based on your location:
        • North America, Latin America and Asia Pacific:
          tmes.trendmicro.com
        • Europe and Africa:
          tmes.trendmicro.eu
        • Australia and New Zealand:
          tmes-anz.trendmicro.com
        • Japan:
          tmems-jp.trendmicro.com
        • Singapore:
          tmes-sg.trendmicro.com
        • India:
          tmes-in.trendmicro.com
        • Middle East (UAE):
          tmes-uae.trendmicro.com
    6. On the Configure Identifiers screen, type the identifier for the relying party trust, click Add, and then click Next.
      Note
      Note
      Specify the identifier for the relying party trust for your region as follows:
      https://euc.<domain_name>/uiserver/euc/ssoLogin
    7. On the Choose Access Control Policy screen, choose an access control policy and click Next.
    8. Continue clicking Next in the wizard and finally click Close.
  4. From the Edit Claim Issuance Policy for Trend Micro Email Security End User Console dialog box, click Add Rule in the Issuance Transform Rules tab.
  5. Complete settings for each screen in the Add Transform Claim Rule wizard.
    1. On the Select Rule Template screen, select Send LDAP Attributes as Claims for Claim rule template and click Next.
    2. On the Configure Rule screen, specify a claim rule name and select Active Directory for Attribute store.
    3. Select LDAP attributes and specify an outgoing claim type for each attribute. For example, select E-Mail-Addresses and type email as the outgoing claim type.
      Important
      Important
      When configuring the identity claim type for an SSO profile on Cloud Email Gateway Protection, make sure you use the claim type specified here.
    4. (Optional) Configure group claim type settings for user groups.
      1. On the Select Rule Template screen, select Send Group Membership as a Claim for Claim rule template and click Next.
      2. On the Configure Rule screen, specify a claim rule name, click Browse under User's group, and select AD groups.
      3. Specify the outgoing claim type and outgoing claim values. For example, type euc_group and the AD group names.
      Important
      Important
      When configuring the group claim type for an SSO profile on Cloud Email Gateway Protection, make sure you use the group claim type specified here.
    5. Click Finish.
    6. Click OK to close the wizard.
  6. From AD FSRelying Party Trust, double-click the relying party trust file you created earlier.
    1. From the Test Properties dialog box, click the Advanced tab.
    2. Select SHA1 from the Secure hash algorithm drop-down list and click OK.
  7. Collect the single sign-on logon and logoff URLs and obtain a certificate for signature validation from AD FS.
    1. On the AD FS management console, go to AD FSServiceEndpoints.
    2. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL path.
      Note
      Note
      The URL path will be used when you configure logon and logoff URLs on Cloud Email Gateway Protection.
      • Logon URL: <adfs_domain_name>/adfs/ls/
      • Logoff URL: <adfs_domain_name>/adfs/ls/?wa=wsignout1.0
    3. Go to AD FSServiceCertificates.
    4. Look for the Token-signing certificate, right-click it, and then select View Certificate.
    5. Click the Details tab and click Copy to File.
    6. Using the Certificate export wizard, select Base-64 Encoded X.509 (.CER).
    7. Assign a name to the file to complete the export of the certificate into a file.