Before specifying SSO settings on the administrator console, configure the identity provider you choose for single sign-on, that is, AD FS 4.0, Azure AD or Okta:
Gather required settings from your identity provider before setting up the administrator console.
The End User Console URL is generated.
If you have to change the unique identifier due to conflict with another identifier, make sure you also change it in your identity provider configuration.
All domains: applies this profile to all domains.
You can create only one profile that is applied to all domains.
Specified domains: applies this profile to specified domains.
Select domains from the Available pane and click Add > to add them to the Selected pane.
Use the logon URL collected from AD FS, Azure AD or Okta configurations.
The logoff URL logs you off and also terminates the current identity provider logon session.
A signature is returned from the identity provider server during SSO. To avoid forgery logon by attackers, the signature must be checked against the certificate file you obtained from your identity provider.
Click the Signature validation toggle button.
Locate the certificate file you downloaded from AD FS, Azure AD or Okta configurations and upload it for signature validation.
If you enable this function, only end users with valid email addresses in the specified group can be logged on to the End User Console through SSO:
Click the Group allow list toggle button.
Specify the group claim type based on the group claim you configured for AD FS, Azure AD or Okta. For example, if you use euc_group as the group attribute name, type euc_group.
Specify group claim values based on the group claim you configured for AD FS, Azure AD or Okta. If your identity provider is AD FS or Okta, type group names; if your identity provider is Azure AD, type group IDs.
Once you have completed the configuration, an end user can log on using the End User Console URL generated in Step 4 to initiate SSO from the identity provider to the End User Console. The identity claim type and group claim type specified in Step 6 are used to get the mapping claim values from your identity provider. In this case, Trend Micro Email Security obtains the email address and user group of the logon account to verify the identity of the end user. Once verified, the end user will be successfully logged on to the End User Console.