Configuring Single Sign-On

1. Specify an SSO profile name.
2. Specify an identifier that is globally unique at your site.

   The administrator console URL is generated.

   If you have to change the unique identifier due to conflict with another identifier, make sure you also change it in your identity provider configuration.

• All accounts: applies this profile to all accounts.

  Note:

  You can create only one profile that is applied to all accounts.

• Specified accounts: applies this profile to specified accounts.

  Select accounts from the Available pane and click Add > to add them to the Selected pane.

1. Select your identity provider from the Identity provider drop-down list.
2. Specify the logon and logoff URLs for your identity provider.
   Note:

   Use the logon URL collected from AD FS, Azure AD or Okta configurations.

   The logoff URL logs you off and also terminates the current identity provider logon session.

3. (For Okta only) Click Download Logoff Certificate to obtain the certificate file to upload to your federation server.
4. Locate the certificate file you downloaded from AD FS, Azure AD or Okta configurations and upload it for signature validation.
5. Specify the identity claim type based on the claim you configured for AD FS, Azure AD or Okta. For example, if you use email as the claim name, type email.

Once you have completed the configuration, log on with an account using the administrator console URL generated in Step 4 to initiate SSO from the identity provider to the Trend Micro Email Security administrator console. The identity claim type specified in Step 6 is used to get the mapping claim value from your identity provider. In this case, Trend Micro Email Security obtains the email address of the logon account and checks if it matches the account email address you set before. If they are matched, you will be successfully logged on to the administrator console with the account.