Using SAML for Single Sign-on to Umbrella
Cisco Umbrella supports Security Assertion Markup Language or SAML. This allows you to provide single sign-on (SSO) access to your Umbrella dashboard using enterprise identity providers such as Okta, OneLogin, and Ping Identity. SAML SSO is available to all Cisco Umbrella users.
Implementing single sign-on via SAML means that the login process and user authentication are handled entirely outside of Umbrella. Umbrella administrators and users log into their single sign-on SAML provider and click an application to launch the Umbrella dashboard and are automatically logged in.
Typically, you choose a SAML service (such as Okta) but you can build a SAML server yourself, in-house (with OpenAM for instance). You'll need to set these up yourself outside of Umbrella, but we do provide instructions for how to configure Umbrella to work with Okta, OneLogin, Ping Identity, and other providers as we introduce support for individual SSO/SAML providers.
Any changes made in your SSO provider are immediately synced with Umbrella. If you add an account or change a password in your SSO provider, it is immediately reflected in your login. Only the username (email address) is stored in Umbrella.
NOTE: SAML for Umbrella is only tied to authentication. It is not tied to the authorization for a user's access level within the Umbrella dashboard, such as whether the user is an Administrator or a Read-Only user. The user access role is set independently within the Accounts section of the dashboard.
How SAML for Umbrella Works
SAML for Umbrella works the way SAML does with all other service providers. From a high level, all the users in your organization have their authentication managed by the SSO, or identity provider (IdP). Umbrella establishes a trust relationship with the IdP and then allows them to authenticate and seamlessly log into Umbrella. Effectively, once a user has authenticated to the SSO IdP, they can automatically log in via the app (in the case of a service such as Okta).
Important Information about SAML Implementation and Changes to Umbrella
By changing the way in which users log into Umbrella, several key things will happen that you should be aware of:
- Block Page Bypass (BPB) Users will no longer work to bypass block pages or authenticate in any capacity to Umbrella. A BPB user is a user just like any other in Umbrella, but because of the way authentication is now handled by the SAML SSO, it cannot be used to bypass block pages. Instead, you must use BPB codes. For more information, read here.
- If you update dynamic IPs, you will no longer be able to use the Updater client. Instead, a cURL or wget method can be used along with an Update-Only password which can be generated by Support. To get an update-only password, contact us at firstname.lastname@example.org.
- When you enable SAML for Umbrella, every user with a registered account in Cisco Umbrella will receive an email alerting them to this change and letting them know to log in via the SSO provider. So, please only make the change when your organization's staff is ready to commit to the change.
- If for some reason a user of Umbrella is not configured in the SAML SSO provider, they will not be able to log in until they are added to the SSO provider. We ask that you add every user that you wish to log into the dashboard to your SAML SSO provider.
- If you disable SAML integration in the future, every user of your organization's Umbrella dashboard will receive an email asking them to reset their passwords. Their previous passwords are not restored and must be reset.
- If you are an MSP: SAML is organization-specific and can't be managed globally by nature of the way it's designed. Thus, you cannot enable SAML for a customer's dashboard using the MSP Administrator account. Instead, an account belonging to the client organization directly must be used in order to enable SAML. Once enabled, this account will also become SAML-enabled, and thus should be present on the client's IdP. This also means that a unique account must be used per client IdP.
To add a new account to an organization, log into the customer dashboard, and go to Settings > Accounts.
- If you are an admin for the Multi-Org Console If you are an admin for the Multi-Org Console: SAML is organization-specific and can't be managed globally by nature of the way it's designed. Unfortunately, this means it's not possible to add SAML directly to the entire Multi-org Console for Umbrella. Instead, an account belonging to the individual org directly must be used to enable SAML. Once enabled, this account will also become SAML-enabled, and thus should be present on the sub-org's IdP. This also means that a unique account must be used per client IdP.
To add a new account to an organization, log into the sub-organization's dashboard, and go to Settings > Accounts.
- If you are using the Umbrella dashboard API for any reason, please contact Support as the method for generating valid API tokens will change when SAML is enabled.
Configuring your SAML Implementation
Currently, Umbrella supports the SAML providers Okta, OneLogin, and Ping Identity. We have instructions for ADFS v3.0, although most of this configuration is done within Windows Server. We also have the ability to set up SAML for "Other", which is a generic catch-all for any SAML/SSO provider whereby Umbrella provides the SAML 2.0 metadata and you are expected to configure your SAML provider to send an appropriate SAML assertion back to Umbrella.
To set up SAML for Cisco Umbrella with Okta, please read this article.
To set up SAML for Cisco Umbrella with Ping Identity, please read this article.
To setup SAML for Cisco Umbrella with OneLogin, please read this article.
To set up SAML for Cisco Umbrella with Active Directory Federated Services v3.0, please read this article.
To set up SAML for Other SAML providers, please read this article.