Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based directory and identity management service.

This section describes how to configure Azure AD as a SAML (2.0) identity provider for Cloud App Security to use.

Before you begin configuring Azure AD, make sure that:

  • You have a valid subscription with an Azure AD Premium edition license that handles the sign-in process and eventually provides the authentication credentials to the Cloud App Security management console.

    Important:

    Cloud App Security stops supporting SSO for the Azure AD Free and Basic editions because these editions do not support certificate-based communication, which can incur security risks.

    If you have already configured SSO for an Azure AD Free or Basic edition, you can still use SSO to log on to Cloud App Security, but you cannot modify the existing SSO settings.

  • You are logged on to the management console as a Cloud App Security global administrator. For details, see Administrator and Role.

  1. Sign in to the Azure management portal at https://portal.azure.com using your Azure AD administrator account.
  2. On the Microsoft Azure main page, click Azure Active Directory. On first use, click More services and find Azure Active Directory.
  3. From the left navigation, go to Enterprise applications > New application.
  4. (Optional) If the Browse Azure AD Gallery (Preview) screens opens, click Click here to switch back to the old app gallery experience..
  5. Under Add an application, click Non-gallery application.
  6. Under the Add your own application area that appears, specify the display name for Cloud App Security in the Name text box, for example, Trend Micro Cloud App Security, and then click Add.

    The Overview screen of the newly added application appears.

  7. Under the Getting Started area, click Set up single sign on.
  8. Select SAML as the single sign-on method.
    Note:

    Cloud App Security uses SAML 2.0 for single sign-on.

  9. On the SAML-based Sign-on screen, click the Edit icon, specify the following for your Cloud App Security tenant into Azure AD on the Basic SAML Configuration screen that appears, and then click Save.
    • Identifier: Uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.

      Note:

      The identifier is the Cloud App Security logon URL of your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the identifier is https://admin-eu.tmcas.trendmicro.com.

    • Reply URL: Where Cloud App Security expects to receive the SAML token.

      Note:

      The reply URL is {Cloud App Security_admin_site}/ssoLogin depending on your serving site. For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, the reply URL is https://admin-eu.tmcas.trendmicro.com/ssoLogin.

    Note:

    Perform step 9 or step 10 based on your need.

  10. Under SAML Signing Certificate, click Certificate (Base64) to download a certificate file for Azure AD signature validation on Cloud App Security when it receives SAML tokens issued by Azure AD.
  11. (Optional) Create a new certificate as follows:
    1. Click the Edit icon, and on the SAML Signing Certificate screen that appears, click New Certificate.
    1. Specify the following and then click Save.
      • Expiration Date: the date when the certificate will expire.

      • Signing Option: Select Sign SAML assertion as the part of the SAML token to be digitally signed by Azure AD.

      • Signing Algorithm: Select SHA-256 as the signing algorithm used by Azure AD to sign SAML tokens.

      • Notification Email Addresses: Automatically filled in with your Azure AD administrator account name, which is the email address that receives a notification message when the active signing certificate approaches its expiration date.

    2. Click the three dots at the end of the certificate and then select Make certificate active.
  12. Recording the following:
    • Go to the Overview screen and record Application ID under the Properties screen. This is also referred to as Application Identifier on the Cloud App Security management console.

    • Click Single sign-on and record Login URL under the Set up <Your application name> area. This is also referred to as Service URL on the Cloud App Security management console.

  13. From the left navigation, click Users and groups and then Add user/group.
  14. Under Add Assignment, click Users or Users and groups based on your Active Directory plan level.
  15. Under the Users or Users and groups area that appears, select the users or groups to allow single sign-on to the Cloud App Security management console, click Select and then Assign.

    The selected users and groups appear on the Users and groups screen.

  16. (Optional) Test single sign-on with your application after you complete configuring single sign-on on the Cloud App Security management console:
    1. Click Single sign-on from the left navigation and then click Test at the bottom of the screen.
    2. On the Test single sign-on with <your application name> screen that appears, click Sign in as current user or Sign in as someone else as necessary.

    The user is automatically logged on to the Cloud App Security management console.