Cisco Umbrella SAML Integration for NetIQ – Overview

This article is specific to configuring Cisco Umbrella to integrate with NetIQ for Single Sign-on (SSO) with SAML. Configuring SAML with NetIQ differs from our other SAML integrations as it's not a one or two click process in the wizard, but requires changes in NetIQ to work correctly. 

Below are detailed modifications you will need to make in order to get SAML and NetIQ working together.  As such, the information below is provided "as is" and was developed in conjunction with existing customers. Available support for this solution is limited and Cisco Umbrella support is unable to assist beyond the general outline given here. 

For more information on how SAML integration works with Umbrella, read our review here: Get Started with Single Sign-On

Prerequisites

You can find steps to get through the initial SAML setup here: Identity Integrations: Prerequisites. Once you complete those steps which include downloading the Cisco Umbrella metadata, you can continue using the NetIQ specific instructions below to complete the configuration.  

The metadata can be found in the Cisco Umbrella SAML setup wizard under step 2 (Settings > Authentication > SAML)

How To

Import Metadata and Cisco Umbrella Certificate

 First, open the Cisco Umbrella metadata (downloaded in the prerequisites) in a text editor and extract the X509 certificate.  The certificate begins with ds:X509Certificate and ends with /ds:X509Certificate - just copy from the very beginning to the end.

Save this new file as CiscoUmbrella.cer.  

Next, we'll want to convert the x509 certificate to PKCS7 / PEM.  Methods for this vary, but this command should do the trick:

openssl x509 -in CiscoUmbrella.cer -out CiscoUmbrella.pem -outform PEM

Next, in NetIQ, launch NAM under Trusted Roots

Select New > Browse and Import CiscoUmbrella.pem

Next, we'll want to create an Attribute Group. 

Go to Identity Servers > NetIQ NAM. Click Attribute Sets. Select New and map the LDAP Attributes:

Next, we'll want to create a new Trust Provider.

Go to the IDP General Tab and select SAML 2.0.  Then, select Create New Trust Provider.

Select the Attribute you just created and choose Send with Authentication. For Authentication Response choose Post Binding, Persistent, Transient and Unspecified.

Select LDAP Attribute: mail [LDAP Attribute Profile] and make it default

Next, navigate to to Configuration > Intersite Transfer Service.  Give it a name like Cisco Umbrella SAML and add the Cisco Umbrella SSO login URL as a Target (https://login.umbrella.com/sso).

Next, go to Configuration > Options and choose Kerberos as the Selected contracts:

Open the Cisco Umbrella Metadata file.  Update the EntityDescription field vaildUntil date to a future data, ie. 2020-12-10T20:50:59Z  (as in the screenshot below).

Go back to NetIQ > Metadata and import the updated metadata file.

Next, we'll need to add a class to the assertion. The Cisco Umbrella assertion requires the class

"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

Go to Local> Contracts and select Secure Name/Password and add to Allowable Class field, then add the class above:

Update Identity Services and Access Gateways to ensure they are valid and up to date, then download the NetIQ metadata.

The last step is to use the downloaded metadata to run through the Cisco Umbrella's "Other" SAML wizard.  Step 3 is where you'll be asked to upload the metadata: