Some Frequently Asked Questions about Integrations
Q: Do you use encryption for the SAML request or response?
A: No, SAML requests are sent unencrypted and SAML responses to Umbrella should also be sent unencrypted.
Q: Is the SAML request signed?
A: As December 2018, all new SAML setups on the Umbrella dashboard will now have signing turned on by default; however, existing users will have signing disabled until they setup SAML again. The certificate used to sign the SAML request is available in the metadata, and is also available as the file opendns_cert.crt at the bottom of this article.
Q: Should the SAML response be signed?
A: Yes, either the entire response should be signed, or the relevant Assertion should be signed.
Q: What type of binding should be used?
A: The SAML request uses HTTP Redirect Binding. The SAML Response uses HTTP POST Binding.
Q: Are any attributes required on the assertions in the metadata?
A: No, no attributes are required.
Q: What ID or account name must be used for sign on?
A: Email address is required. If there is an option to specify a name ID format, choose email address. Email attached as a response attribute will not be expected to work.
Q: When importing XML from the Umbrella dashboard, is this a local or remote metadata? Should it expire?
A: The XML is currently designed as local metadata. If your SAML provider considers the loaded metadata as remote or respects the expiration data, remove the expiration date from the Umbrella XML before importing.