This article is specific to configuring the Multi-org or MSP console for Cisco Umbrella to integrate with your specific Single Sign-on (SSO) provider with SAML. This article does not address how to configure SAML in general. For configuration steps, see this article.
SSO for the Multi-Org or MSP console
The Multi-Org and MSP console for Cisco Umbrella require additional steps and considerations to implement Umbrella SSO (SAML). The major difference is that the Multi-Org and MSP consoles do not currently support SAML directly from the console, and instead must be enabled in a child organization. To enable SSO for a console admin, follow these steps:
- Create a new child organization named "Single Sign On". This organization will be empty except for SSO users.
- Create a new user in the "Single Sign On" organization. This user will be used to configure SAML and must exist in your identity provider also. You cannot configure SAML using an MSP/Multi-Org Admin.
- Log in to the Umbrella Dashboard as the new "Single Sign On" user.
- Configure SSO (SAML) in this new organization
- Invite existing administrators into this organization as read only from the child organization dashboard. Upon acceptance, they will now be a member of the management console and this single organization. These users will now be required to sign in via SSO and will no longer have an account password.
- Need assistance adding your users without individual invitation acceptance? Contact our support team!
- Caution - do not add SSO to any additional organizations as this will lock out any users who belong to two SSO-enabled organizations
Q: Does the SSO in one child organization apply to all logins for the user?
A: Yes. The user must sign in via SSO and cannot access any organizations without authenticating with SSO.
Q: Can I enable SSO on multiple child organizations?
A: Yes; however, we strongly recommend no more than one child organization be configured for SSO. Add the users to the Single Sign On organization organization as a read only user to enforce SSO for any account.
Q: Why read only?
A: This is not required, but enables any account to be added to the organization without the ability to change any settings in this empty organization.
Q: What happens if a user is added to a second organization with SSO enabled?
A: The user will no longer be able to sign in. Remove the user from at least one of the SSO organizations or contact support to restore the user's access.
Q: When configuring SAML the verification test fails. I am not prompted to login.
A: This happens when SAML configuration is attempted using an MSP/Multi-Org Admin. First configure SAML using an account which only exists in the "Single Sign On" organization.