This article is specific to configuring the Multi-org or MSP console for Cisco Umbrella to integrate with your specific Single Sign-on (SSO) provider with SAML. This article does not address how to configure SAML in general. For configuration steps, see this article.
SSO configuration is not available for any accounts part of a MSSP, PPoV, or other console that makes use of the Cisco OneIdentity login. If you currently log in via Cisco OneIdentity partner portal, you will not be able to use another SSO provider. Access to Umbrella is defined by the access level on the Cisco partner account (level 3).
SSO for the Multi-Org or MSP console
The Multi-Org and MSP console for Cisco Umbrella require additional steps and considerations to implement Umbrella SSO (SAML). The major difference is that the Multi-Org and MSP consoles do not currently support SAML directly from the console, and instead must be enabled in a child organization. To enable SSO for a console admin, follow these steps:
- Create a new child organization named "Single Sign On". This organization will be empty except for SSO users.
- Create a new user in the "Single Sign On" organization. This user will be used to configure SAML and must exist in your identity provider also. You cannot configure SAML using an MSP/Multi-Org Admin without also adding the admin to the child organization directly.
- Errors may include a "File Not Found" message.
- Double check that the currently logged in user is an admin listed under Admin-> Accounts on the dashboard you are configuring SSO in.
- Log in to the Umbrella Dashboard as the new "Single Sign On" user.
- Configure SSO (SAML) in this new organization
- Invite existing administrators into this organization as read only from the child organization dashboard. Upon acceptance, they will now be a member of the management console and this single organization. These users will now be required to sign in via SSO and will no longer have an account password.
- Ensure that you do not add a given user to more than one SSO enabled child organization. Doing so will lock the user out of the dashboard completely until another admin removes the admin from the second SSO enabled organization.
Q: Can I use my own SSO if I have a MSSP or Partner portal?
A: No. You must use Cisco OneIdentity partner portal. Access to Umbrella is determined by your OneIdentity access level. Revoked or disabled accounts do not have access to Umbrella.
Q: Does the SSO in one child organization apply to all logins for the user?
A: Yes. The user must sign in via SSO and cannot access any organizations without authenticating with SSO.
Q: Can I enable SSO on multiple child organizations?
A: Yes; however, we strongly recommend no more than one child organization be configured for SSO. Add the users to the Single Sign On organization organization as a read only user to enforce SSO for any account.
Q: Why read only?
A: This is not required, but enables any account to be added to the organization without the ability to change any settings in this empty organization.
Q: What happens if a user is added to a second organization with SSO enabled?
A: The user will no longer be able to sign in. Remove the user from at least one of the SSO organizations or contact support to restore the user's access.
Q: When configuring SAML the verification test fails. I am not prompted to login. A "FILE NOT FOUND" error might be seen.
A: This happens when SAML configuration is attempted using an MSP/Multi-Org Admin. Configure SAML using an account which exists in the "Single Sign On" organization.