Service Notification - OneLogin Security Incident - 2017-06-02

Summary

Cisco has recently learned of a data incident involving an optional authentication feature for Cisco Umbrella, called OneLogin. While we have no indication that data associated with Cisco Umbrella accounts has been affected, we have taken precautionary steps to protect users who have this authentication feature enabled.  As of today, we have disabled single sign-on (SSO) for any OneLogin accounts with certificates older than May 31, 2017 and are requiring passwords to be reset.

Accounts with metadata newer than May 31st have not been disabled, but if you have not followed the remediation steps outlined by OneLogin, you should disable SAML and follow the steps below.

Actions that will be required from users are noted below. We apologize for any inconvenience or concern this issue may have caused.  For more information about this security incident, read: 

https://www.onelogin.com/blog/may-31-2017-security-incident

Recovery Steps

Step 1 - Reset your password

You should have received a password reset email from Cisco Umbrella stating that SAML based SSO has been disabled for your organization. That email will contain a link to reset your password with Cisco Umbrella. Once you’ve reset your password, verify that you can access your Umbrella Dashboard.

If you have not received this email, you can manually reset your password from the Umbrella login page by clicking on the “Forgot your password?”

https://login.umbrella.com/

Step 2 - Follow remediation steps from OneLogin

OneLogin has remediation steps accessible only to OneLogin customers at the following URL:

https://support.onelogin.com/hc/en-us/articles/115002695483-2017-05-31-OneLogin-Security-Incident-Action-Required?flash_digest=baa8324f167571e72c4a4f9c8ca0987ea884316e

These steps should be followed in full prior to proceeding, in particular the section titled “Generate new certificates for your apps that use SAML SSO”.

Step 3 - Re-enable SAML SSO using the new metadata

Once the above remediation steps have been completed, please follow the normal instructions to re-enable SAML SSO integration with OneLogin, using the newly-created metadata:

https://support.umbrella.com/hc/en-us/articles/230649207-Cisco-Umbrella-SAML-Integration-OneLogin-Instructions

We are committed to transparency in the event of security incidents such as this.  We continue to work closely to investigate this incident, and we will provide a update if new information is found that our customers need to be aware of. 

Please do not hesitate to contact us with any questions at umbrella-support@cisco.com