Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based directory and identity management service.
This section describes how to configure Azure AD as a SAML (2.0) identity provider for Cloud App Security to use.
Before you begin configuring Azure AD, make sure that:
You have a valid subscription with an Azure AD Premium edition license that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.
Cloud App Security has already stopped supporting SSO for the Azure AD Free and Basic editions because these editions do not support certificate-based communication, which can incur security risks.
If you have already configured SSO for an Azure AD Free or Basic edition, you can still use SSO to log on to Cloud App Security, but you cannot modify the existing SSO settings.
You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.
The Overview screen of the newly added application appears.
Cloud App Security uses SAML 2.0 for single sign-on.
Identifier: Uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.
The identifier is the Cloud App Security logon URL of your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the identifier is https://admin-eu.tmcas.trendmicro.com.
Reply URL: Where Cloud App Security expects to receive the SAML token.
The reply URL is {Cloud App Security_admin_site}/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the reply URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.
Perform step 9 or step 10 based on your need.
Expiration Date: the date when the certificate will expire.
Signing Option: Select Sign SAML assertion as the part of the SAML token to be digitally signed by Azure AD.
Signing Algorithm: Select SHA-256 as the signing algorithm used by Azure AD to sign SAML tokens.
Notification Email Addresses: Automatically filled in with your Azure AD administrator account name, which is the email address that receives a notification message when the active signing certificate approaches its expiration date.
Go to the Overview screen and record Application ID under the Properties screen. This is also referred to as Application Identifier on the Cloud App Security management console.
Click Single sign-on and record Login URL under the Set up <Your application name> area. This is also referred to as Service URL on the Cloud App Security management console.
The selected users and groups appear on the Users and groups screen.
The user is automatically logged on to the Cloud App Security management console.