Open menu

Azure AD SAML SSO Integration Set up

To add Trend Micro Cloud One™ – Conformity as a custom SAML 2.0 app in Azure AD:

The instruction to adding Conformity as an enterprise application to Azure AD and enable SAML single sign-on:

  1. Sign in to Azure Portal as administrator
  2. Navigate to Azure Active Directory
  3. Open Enterprise Applications
  4. Click + New application
  5. Click + Create your own application
  6. Enter a name, for example. “Conformity” in Name field,
  7. Select “Integrate any other application you don’t find in the gallery”,
  8. Click “Create
  9. After the application is created, upload this logo under “Properties” section and save it
  10. In the “Users and groups” section, assign groups you would like to have access to ‘Cloud Conformity’.
  11. Open “Single sign-on” section
  12. Select “SAML-based Sign-on
  13. Edit “Basic SAML Configuration
  14. Identifier: enter “https://www.cloudconformity.com
  15. Reply URL: enter “https://www.cloudconformity.com/v1/proxy/sso/saml/consume
  16. Depending on your region of service and email domain enter {region}:{domain} in Relay State
    • {region} should be replaced with your region of service. i.e by one of the three regions: us-west-2, ap-southeast-2, or eu-west-1.
    • {domain} should be replaced with the domain part of user emails e.g. us-west-2:your-​company.com
  17. Edit “User Attributes & Claims
  18. Select “user.mail” as the source attribute of “Unique User Identifier” field
  19. Verify that the following additional claims are present:
  20. Under SAML Signing Certificate, download Federation Metadata XML file - we will need this for the SSO configuration in Conformity.
  21. On the top search bar, search for App Registrations.
  22. Select All Applications tab and select the application you created in Step 5 of this guide, i.e. “Cloud Conformity”.
  23. Click Manifest to open Manifest Editor.
  24. Change groupMembershipClaims from null to SecurityGroup i.e groupMembershipClaims: SecurityGroup.
  25. Save the manifest.
  26. Set Role Groups in Azure to match Conformity Role Mappings
    Each of the four Conformity roles should have a group defined in the Azure Active Directory.
    Open each group under “Users and groups” and take note of the “Object ID” to automatically map Azure AD groups to Cloud Conformity roles. The roles supported by Conformity are:
  • Admin: Organisation admin, full access to everything
  • Power-user: Full access to all accounts, no access to organisation-level settings, cannot add new accounts
  • Read-only: Read-only access to all accounts, no access to organisation-level settings
  • Custom: No access by default, can be granted read-only or full access to individual accounts by an organisation admin

Once Conformity has been added to Azure AD, follow the instructions from Step 2 onwards in Configure SSO settings in Conformity.

Take a note of the following information to configure self-serve SSO in Conformity:

  1. The Federation metadata XML file downloaded during setup in Step 21.
  2. Object IDs for admin, power-user, read-only, and limited groups.
  3. Each role attribute value is the Object ID of the related group in Azure AD in UUID format.