browse
Introduction
This article applies to users who want to configure Single Sign-On authentication between the Cisco Umbrella Dashboard and Active Directory Federated Services (AD FS). This article is an appendix to the main AD FS instructions in the Guide to configuring Cisco Umbrella with Active Directory Federation Services (AD FS) version 3.0 using SAML.
This article provides an example of configuring AD FS to allow login with an e-mail address.
By default, AD FS authenticates users based on their User Principal Name (UPN). Often this UPN matches both the user's e-mail address and the Umbrella account e-mail address, therefore no action is required.
However, in some cases, the users' e-mail address differs from their UPN, and these additional steps are required.
Note: This example is provided "as is" based on a working AD FS environment. Umbrella Support is unable to help with the configuration of individual AD FS environments.
Instructions
Step 1 - Allow e-mail address login (optional)
The following PowerShell command configures AD FS to allow the mail
attribute to be used as the login ID. Replace <Domain>
with the name of your Active Directory domain:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <Domain>
This avoids confusion for the end user since they can use the same username for both systems. After this change, the user will be able to log in as follows
- Enter the Umbrella username (example: email@domain.tld).
- Enter email@domain.tld or upn@domain.tld as the AD FS username.
If this step is not followed, the end user may need to use a different username for both systems:
- Enter the Umbrella username (example: email@domain.tld).
- Enter upn@domain.tld as the AD FS username.
Step 2 - Edit claims rules (required)
Review the information in our AD FS instructions in the Guide to configuring Cisco Umbrella with Active Directory Federation Services (AD FS) version 3.0 using SAML. The claims rule userPrincipalName to Email address must be deleted and replaced with the rule below called mail to Email address.
This tells AD FS to include the mail
attribute in its SAML response:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), query = ";mail;{0}", param = c.Value);
The claims rules should be configured in the correct order with mail to Email Address as the first rule: