Topics on this page
Microsoft Entra ID Saml-SSO Integration
To add Trend Micro Cloud One™ – Conformity as a custom SAML 2.0 app in Microsoft Entra ID.
The instruction to adding Conformity as an Microsoft Entra enterprise application and enable SAML single sign-on:
- Sign in to Azure Portal as administrator
- Navigate to Microsoft Entra ID
- Open Enterprise Applications
- Click + New application
- Click + Create your own application
- Enter a name, for example. "Conformity" in Name field,
- Select "Integrate any other application you don’t find in the gallery",
- Click "Create"
- After the application is created, upload this logo under "Properties" section and save it
- In the "Users and groups" section, assign groups you would like to have access to ‘Cloud Conformity’.
- Open "Single sign-on" section
- Select "SAML-based Sign-on"
- Edit “Basic SAML Configuration”
- Identifier: enter "https://www.cloudconformity.com"
- Reply URL: enter "https://www.cloudconformity.com/v1/proxy/sso/saml/consume"
- Depending on your region of service and email domain enter {region}:{domain} in Relay State
- {region} should be replaced with your region of service. i.e by one of the three regions: us-west-2, ap-southeast-2, or eu-west-1.
- {domain} should be replaced with the domain part of user emails e.g. us-west-2:your-company.com
- Edit “User Attributes & Claims”
- Select "user.mail" as the source attribute of "Unique User Identifier" field
- Verify that the following additional claims are present:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - value: user.mail
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - value: user.givenname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - value: user.userprincipalname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - value: user.surname
- Under SAML Signing Certificate, download Federation Metadata XML file - we will need this for the SSO configuration in Conformity.
- On the top search bar, search for App Registrations.
- Select All Applications tab and select the application you created in Step 5 of this guide, i.e. "Cloud Conformity".
- Click Manifest to open Manifest Editor.
- Change groupMembershipClaims from null to SecurityGroup i.e groupMembershipClaims: SecurityGroup.
- Save the manifest.
-
Set Role Groups in Azure to match Conformity Role Mappings
Each of the four Conformity roles should have a group defined in Microsoft Entra ID. Open each group under "Users and groups" and take note of the "Object ID" to automatically map Microsoft Entra groups to Cloud Conformity roles. The roles supported by Conformity are: -
Admin: Organisation admin, full access to everything
- Power-user: Full access to all accounts, no access to organisation-level settings, cannot add new accounts
- Read-only: Read-only access to all accounts, no access to organisation-level settings
- Custom: No access by default, can be granted read-only or full access to individual accounts by an organisation admin
Once Conformity has been added to Microsoft Entra ID, follow the instructions from Step 2 onwards in Configure SSO settings in Conformity.
Take a note of the following information to configure self-serve SSO in Conformity:
- The Federation metadata XML file downloaded during setup in Step 20.
- Object IDs for admin, power-user, read-only, and limited groups.
-
Each role attribute value is the Object ID of the related Microsoft Entra group in UUID format.
-
The claim names for each of the key attributes as following:
- First name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Email address: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Role: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups