This article is specific to configuring the Multi-org or MSP console for Cisco Umbrella to integrate with your specific Single Sign-on (SSO) provider with SAML. This article does not address how to configure SAML in general. For configuration steps, see this article.
SSO for the Multi-Org or MSP console
The Multi-Org and MSP console for Cisco Umbrella require additional steps and considerations to implement Umbrella SSO (SAML). The major difference is that the Multi-Org and MSP consoles do not currently support SAML directly from the console, and instead must be enabled in a child organization. To enable SSO for a console admin, follow these steps:
- Create a new child organization named "Single Sign On". This organization will be empty except for SSO users.
- Configure SSO (SAML) in this new organization
- Invite existing administrators into this organization as read only from the child organization dashboard. Upon acceptance, they will now be a member of the management console and this single organization. These users will now be required to sign in via SSO and will no longer have an account password.
- Need assistance adding your users without individual invitation acceptance? Contact our support team!
- Caution - do not add SSO to any additional organizations as this will lock out any users who belong to two SSO-enabled organizations
Q: Does the SSO in one child organization apply to all logins for the user?
A: Yes. The user must sign in via SSO and cannot access any organizations without authenticating with SSO.
Q: Can I enable SSO on multiple child organizations?
A: Yes; however, we strongly recommend no more than one child organization be configured for SSO. Add the users to the Single Sign On organization organization as a read only user to enforce SSO for any account.
Q: Why read only?
A: This is not required, but enables any account to be added to the organization without the ability to change any settings in this empty organization.
Q: What happens if a user is added to a second organization with SSO enabled?
A: The user will no longer be able to sign in. Remove the user from at least one of the SSO organizations or contact support to restore the user's access.