Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
SAML claims structure
The following SAML claims are supported by Deep Security :
- Deep Security user name (required)
- Deep Security user role (required)
- Maximum session duration (optional)
- Preferred language (optional)
Deep Security user name (required)
The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName and a single AttributeValue element. The Deep Security Manager will use the AttributeValue as the Deep Security user name.
Sample SAML data (abbreviated)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AttributeStatement>
<Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/RoleSessionName">
<AttributeValue>alice</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
Deep Security user role (required)
The claim must have a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/Role and between one and ten AttributeValue elements. The Deep Security Manager uses the attribute value(s) to determine the tenant, identity provider, and role of the user. A single assertion may contain roles from multiple tenants.
Sample SAML data (abbreviated)
The line break in the AttributeValue element is present for readability; in the claim it must be on a single line.
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AttributeStatement>
<Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/Role">
<AttributeValue>urn:tmds:identity:[pod ID]:[tenant ID]:saml-provider/[IDP name],
urn:tmds:identity:[pod ID]:[tenant ID]:role/[role name]</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
Maximum session duration (optional)
If the claim has a SAML assertion that contains an Attribute element with a Name attribute of https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration and an integer-valued AttributeValue element, the session will automatically terminate when that amount of time (in seconds) has elapsed.
Sample SAML data (abbreviated)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AttributeStatement>
<Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/SessionDuration">
<AttributeValue>28800</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
Preferred language (optional)
If the claim has a SAML assertion that contains an Attribute element with the Name attribute of https://deepsecurity.trendmicro.com/SAML/attributes/PreferredLanguage and a string-valued AttributeValue element that is equal to one of the supported languages, the Deep Security Manager will use the value to set the user's preferred language.
The following languages are supported:
- en-US (US English)
- ja-JP (Japanese)
- zh-CN (Simplified Chinese)
Sample SAML data (abbreviated)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<AttributeStatement>
<Attribute Name="https://deepsecurity.trendmicro.com/SAML/Attributes/PreferredLanguage">
<AttributeValue>en-US</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
