Using Azure AD Premium Edition

  1. On the Microsoft Azure main page, click Azure Active Directory. On first use, click More services and find Azure Active Directory.
  2. From the left navigation, go to Enterprise applications > New application.
  3. Under Add an application, click Non-gallery application.
  4. Under the Add your own application area that appears, specify the display name for Cloud App Security in the Name text box, for example, Trend Micro Cloud App Security, and then click Add.

    The Overview screen of the newly added application appears.

  5. Under the Getting Started area, click Set up single sign on.
  6. Select SAML as the single sign-on method.

    Cloud App Security uses SAML 2.0 for single sign-on.

  7. On the SAML-based Sign-on screen, click the Edit icon, specify the following for your Cloud App Security tenant into Azure AD on the Basic SAML Configuration screen that appears, and then click Save.
    • Identifier: Uniquely identifies Cloud App Security for which single sign-on is being configured. Azure AD sends this value as the Audience parameter of the SAML token back to Cloud App Security, which is expected to validate it.

    • Reply URL: Where Cloud App Security expects to receive the SAML token.


      Specify the reply URL based on your serving site:

      Serving Site

      Reply URL



      U.S. (global)

      Australia and New Zealand

  8. (Optional) Under SAML Signing Certificate, click Certificate (Base64) to download a certificate file for Azure AD signature validation on Cloud App Security when it receives SAML tokens issued by Azure AD.
  9. Optionally create a new certificate as follows:
    1. Click the Edit icon, and on the SAML Signing Certificate screen that appears, click New Certificate.
    1. Specify the following and then click Save.
      • Expiration Date: the date when the certificate will expire.

      • Signing Option: Select Sign SAML assertion as the part of the SAML token to be digitally signed by Azure AD.

      • Signing Algorithm: Select SHA-256 as the signing algorithm used by Azure AD to sign SAML tokens.

      • Notification Email Addresses: Automatically filled in with your Azure AD administrator account name, which is the email address that receives a notification message when the active signing certificate approaches its expiration date.

    2. Click the three dots at the end of the certificate and then select Make certificate active.
  10. Recording the following:
    • Go to the Overview screen and record Application ID under the Properties screen. This is also referred to as Application Identifier on the Cloud App Security management console.

    • Click Single sign-on and record Login URL under the Set up <Your application name> area. This is also referred to as Service URL on the Cloud App Security management console.

  11. From the left navigation, click Users and groups and then Add user.
  12. Under Add Assignment, click Users and groups.
  13. Under the Users and groups area that appears, select the users or groups to allow single sign-on to the Cloud App Security management console, click Select and then Assign.

    The selected users and groups appear on the Users and groups screen.

  14. (Optional) Test single sign-on with your application after you complete configuring single sign-on on the Cloud App Security management console:
    1. Click Single sign-on from the left navigation and then click Test at the bottom of the screen.
    2. On the Test single sign-on with <your application name> screen that appears, click Sign in as current user or Sign in as someone else as necessary.

    The user is automatically logged on to the Cloud App Security management console.