Configuring Okta

Procedure

1. Navigate to the Admin Console by clicking Admin in the upper-right corner.

   Note If you are in the Developer Console, click < > Developer Console in the upper-left corner and then click Classic UI to switch over to the Admin Console.

2. In the Admin Console, go to Applications → Applications.
3. Click Add Application, and then click Create New App.
   The Create a New Application Integration screen appears.
4. Select Web as the Platform and SAML 2.0 as the Sign on method, and then click Create.
5. On the General Settings screen, type a name for Cloud Email Gateway Protection in App name, for example, Trend Micro Email Security End User Console, and click Next.
6. On the Configure SAML screen, specify the following:
   1. Type https://euc.<domain_name>/uiserver/euc/ssoAssert?cmpID=<unique_identifier> in Single sign on URL based on your serving site.

      Note In the preceding and following URLs: Replace <unique_identifier> with a unique identifier. Record the unique identifier, which will be used when you create an SSO profile on the Cloud Email Gateway Protection administrator console. Replace <domain_name> with any of the following based on your location: North America, Latin America and Asia Pacific: tmes.trendmicro.com Europe and Africa: tmes.trendmicro.eu Australia and New Zealand: tmes-anz.trendmicro.com Japan: tmems-jp.trendmicro.com Singapore: tmes-sg.trendmicro.com India: tmes-in.trendmicro.com Middle East (UAE): tmes-uae.trendmicro.com

   2. Select Use this for Recipient URL and Destination URL.
   3. Type https://euc.<domain_name>/uiserver/euc/ssoLogin in Audience URI (SP Entity ID).
   4. Select EmailAddress in Name ID format.
   5. Select Okta username in Application username.
   6. (Optional) Click Show Advanced Settings, specify the following:
      This step is required only if you want to configure a logoff URL on the Cloud Email Gateway Protection administrator console. The logoff URL is used to log you off and also terminate the current identity provider logon session.

      1. Next to Enable Single Logout, select the Allow application to initiate Single Logout check box.
      2. Type https://euc.<domain_name>/uiserver/euc/sloAssert?cmpID=<unique_identifier> in Single Logout URL.
      3. Type https://euc.<domain_name>/uiserver/euc/ssoLogout in SP Issuer.
      4. Upload the logoff certificate in the Signature Certificate area.
         You need to download the logoff certificate from the Cloud Email Gateway Protection administrator console in advance. Go to Administration → End User Management → Logon Methods. Click Add in the Single Sign-on section. On the pop-up screen, locate the Identity Provider Configuration section, select Okta as Identity provider and click Download Logoff Certificate to download the certificate file.
      5. Keep the default values for other settings.
   7. Under ATTRIBUTE STATEMENTS (OPTIONAL), specify email in Name, and select Unspecified in Name format and user.email in Value.

      Important When configuring the identity claim type for an SSO profile on Cloud Email Gateway Protection, make sure you use the attribute name specified here.

   8. (Optional) Under GROUP ATTRIBUTE STATEMENTS (OPTIONAL), specify euc_group in Name, select Unspecified in Name format and specify filter conditions.

      Important When configuring the group claim type for an SSO profile on the Cloud Email Gateway Protection, make sure you use the group attribute name specified here.

   9. Click Next.
7. On the Feedback screen, click I'm an Okta customer adding an internal app, and then click Finish.
   The Sign On tab of your newly created Cloud Email Gateway Protection application appears.
8. Click View Setup Instructions, and record the URL in Identity Provider Single Sign-On URL and download the certificate in X.509 Certificate.