Configuring Single Sign-On

Before specifying single sign-on (SSO) settings on the administrator console, configure the identity provider you choose for SSO, that is, AD FS 4.0, Azure AD or Okta:

Note:

Gather required settings from your identity provider before setting up the administrator console.

  1. Go to Administration > Administrator Management > Logon Methods.
  2. In the Single Sign-On section, click the toggle button to enable SSO.
  3. Click Add to create an SSO profile.
  4. Configure general information for SSO.
    1. Specify an SSO profile name.
    2. Specify an identifier that is globally unique at your site.

      The administrator console URL is generated.

      If you have to change the unique identifier due to conflict with another identifier, make sure you also change it in your identity provider configuration.

  5. Select the subaccounts to which the current profile applies:
    • All subaccounts: applies this profile to all subaccounts.

      Note:

      You can create only one profile that is applied to all subaccounts.

    • Specified subaccounts: applies this profile to specified subaccounts.

      Select subaccounts from the Available pane and click Add > to add them to the Selected pane.

  6. Complete identity provider configuration for SSO.
    1. Select your identity provider from the Identity provider drop-down list.
    2. Specify the logon and logoff URLs for your identity provider.
      Note:

      Use the logon URL collected from AD FS, Azure AD or Okta configurations.

      The logoff URL logs you off and also terminates the current identity provider logon session.

    3. (For Okta only) Click Download Logoff Certificate to obtain the certificate file to upload to your federation server.
    4. Locate the certificate file you downloaded from AD FS, Azure AD or Okta configurations and upload it for signature validation.
    5. Specify the identity claim type based on the claim you configured for AD FS, Azure AD or Okta. For example, if you use email as the claim name, type email.
  7. Click Save to save the profile.
  8. Click Save to save SSO settings.

    Once you have completed the configuration, log on with a subaccount using the administrator console URL generated in Step 4 to initiate SSO from the identity provider to the Trend Micro Email Security administrator console. The identity claim type specified in Step 6 is used to get the mapping claim value from your identity provider. In this case, Trend Micro Email Security obtains the email address of the logon subaccount and checks if it matches the subaccount email address you set before. If they are matched, you will be successfully logged on to the administrator console with the subaccount.