Set up SSO for your Organisation
Single sign-on (SSO) enables you to securely authenticate and access Trend Micro Cloud One™ – Conformity along with multiple applications and websites by logging in only once—with just one set of credentials. Conformity supports SAML 2.0 SSO standard.
Enabling SSO for Conformity is a two-step process explained below:
To enable you to set up SSO for your organization, we first need to validate your domain.
Decide upon the primary domain for your organization and send an email to email@example.com or create a support ticket titled ‘SSO request - Domain validation’.
Please ensure that your domain name:
Once we validate your domain and activate SSO settings, we’ll notify you with a confirmation email.
If you need support for multiple email domains managed within the same IDP instance, please let our support team know in the ticket and we can assist.
On receiving the domain validation confirmation, sign in to Conformity and go to Administration > SSO to configure the following settings and activate SSO:
If your Identity Provider is not listed and it supports SAML 2.0, contact support to set it up for you.
We support any SAML 2.0 compliant identity provider in SP-init sign-on (authentication starts on CC SSO page: https://www.cloudconformity.com/identity/saml-sign-in.html). We also support IdP-init sign-on (authentication starts from the Identity Provider’s user dashboard) if the identity provider supports the “Default Relay State” value.
In addition to the options available from the drop-down list, we support the following Identity Providers out-of-the-box with LTS support:
For more information, refer to our integration guides for Okta and ADFS or email SSO@cloudconformity.com to receive instructions on integrating Conformity with Azure AD, Centrify, Keycloak, and OneLogin.
Once you have set up SSO, we recommend that you disable your local authentication by raising a support ticket.
Q: Do you support OAuth authentication?
A: No. If you have a specific use-case where SAML 2.0 is not relevant, contact the Customer Success team and they will provide guidance or relay your feature request.
Q: Do you provide standard service-provider metadata?
Q: Which nameid formats do you support?
A: Preferably urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, although we can work with urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified as long as the value is either email address, or otherwise unique, and email address is sent as another unique attribute.
Q: Which SAML attributes do you support?
A: Apart from the email address that is preferably the nameid, Conformity can map first name, last name, and user role from any SAML attribute.
Q: Do you need SAML response/assertions to be encrypted/signed?
A: The response has to be signed, but encryption is optional.
Q: Can we use multiple identity providers?
A: Yes. However, keep in mind that users within the same organization using different identity providers are not fully isolated and their personally identifiable information will be accessible to other users.
Q: Can we use local Conformity username/passwords alongside SSO?
A: Yes. However, we recommend disabling local authentication after SSO setup. This can be requested via the customer support portal.
Q: What access level do SSO users get?
A: SSO users can get one of the following roles in Conformity:
Depending on your identity provider, you can configure it to send a group membership or role attribute with values that would map to the roles mentioned earlier.
Q: I have my own internal identity management, how would authorization work with SSO?
A: Cloud Conformity will accept the roles your users are signing in to authorize access, i.e. if a user signs in as an Admin, they will be treated as an Admin.
Q: What if we have groups of users that require access to separate sets of accounts?
A: You can have one Admin group to manage user permissions and add accounts and map everyone else to the Custom role. You can manage account-level permissions on Conformity user management.
Q: What if we have a lot of users with custom permissions? It’s not efficient to wait for all of them to sign in before we can manage their permissions.
A: If you have many users with custom permissions, first add all of your accounts, then request bulk user import in CSV format via the customer support portal.
Q: How does user provisioning work when SSO is enabled?
A: Conformity supports Just in Time user provisioning. Any successful SSO authentication triggers Conformity to update the existing user with the provided first name, last name, and role; or create a new user with the provided attributes.
Q: How can I revoke an SSO user in Conformity?
A: If your SSO configurations allow local sign-on (username/password), you can revoke users as an Admin from Conformity UI. If a user is fully managed by the Identity Provider, you will need to raise a ticket.
Q: Do you support break-glass credentials in case our identity provider is not working or SSO configuration requires an update?
A: Yes. You can mention that you would like to keep the user credentials when you request local credentials removal via the customer support portal.