Views:
Zero Trus Secure Access (ZSTSA) Internet Access identifies users based on the User Principal Name (UPN), not the email address. If your IdP sends an email address instead of a UPN in the SAML response, the rule match fails. Configure your IdP to send the UPN in the NameID field. Once the configuration is complete, ask the end user to log out and re-authenticate.

Microsoft Entra ID (formerly Azure AD) Parent topic

Procedure

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Enterprise applications and select your application for Trend Vision One.
  3. In the left menu, select Single sign-on.
  4. In the Attributes & Claims section, click Edit.
  5. Locate the Unique User Identifier (Name ID) claim.
  6. Click on it to edit and change the Source attribute to user.userprincipalname.
  7. Save your changes.

Microsoft AD FS (Active Directory Federation Services) Parent topic

Procedure

  1. Open Server Manager and navigate to ToolsAD FS Management.
  2. In the left pane, expand AD FS and select Relying Party Trusts.
  3. Right-click your trust for Trend Vision One (The identifier usually starts with https://signin.v1.trendmicro/saml...) and select Edit Claim Issuance Policy.
  4. Select the rule responsible for sending the Name ID.
  5. Configure the rule as follows:
    • Claim rule template: Transform an Incoming Claim
    • Incoming claim type: UPN
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email
  6. Click Finish and then OK to save.