Configuring Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's multi-tenant cloud based directory and identity management service.

Make sure you have a valid subscription in Azure AD that handles the sign-in process and eventually provides the authentication credentials of subaccounts to the administrator console.

  1. On the Azure AD management portal, select an active directory that you want to implement SSO.
  2. Click Enterprise applications in the navigation area on the left and click New application.
  3. On the Browse Azure AD Gallery (Preview) screen, click Create your own application.
  4. On the Create your own application panel that appears on the right, specify a name for your application, for example, Trend Micro Email Security Administrator Console, and click Create.
  5. Under Getting Started in the overview of your application, click 1. Assign users and groups, click Add user/group, select a specific user or group for this application and click Assign.
  6. In the navigation area of your application, click Single sign-on.
  7. Click SAML to configure the connection from your application to Azure AD using the SAML protocol.
    1. Under Basic SAML Configuration, click Edit, specify the identifier and reply URL, and click Save.
      Note:

      Specify the identifier for your region as follows:

      https://ui.<domain_name>/uiserver/subaccount/ssoLogin

      Specify the reply URL for your region as follows:

      https://ui.<domain_name>/uiserver/subaccount/ssoAssert?cmpID=<unique_identifier>

      In the preceding and following URLs:
      • Replace <unique_identifier> with a unique identifier. Record the unique identifier, which will be used when you create an SSO profile on the Trend Micro Email Security administrator console.

      • Replace <domain_name> with any of the following based on your location:

        • North America, Latin America and Asia Pacific:

          tmes.trendmicro.com

        • Europe, the Middle East and Africa:

          tmes.trendmicro.eu

        • Australia and New Zealand:

          tmes-anz.trendmicro.com

        • Japan:

          tmems-jp.trendmicro.com

      Click No, I'll test later when you are prompted to choose whether to test single sign-on with Trend Micro Email Security Administrator Console. You are advised to perform a test after all SSO settings are complete.

    2. Under User Attributes & Claims, click Edit, and specify the identity claim.

      User attributes and claims are used to get the email addresses of logon subaccounts to authenticate their identity. By default, the source attribute user.mail is preconfigured to get the email addresses. If the email addresses in your organization are defined by another source attribute, do the following to add a new claim name:

      Click Add new claim. On the Manage claim screen, specify the claim name, leave Namespace empty, select Attribute as Source, select a value from the Source attribute drop-down list, and click Save.

      Important:

      When configuring the identity claim type for an SSO profile on Trend Micro Email Security, make sure you use the claim name specified here.

    3. Under SAML Signing Certificate, click Edit, specify an email address for Notification Email Addresses, and click Save. Click Download next to Certificate (Base64) to download a certificate file for Azure AD signature validation on Trend Micro Email Security.
    4. Under Set up Trend Micro Email Security Administrator Console, record the login and logout URLs.