The Umbrella SAML certificate which is used by Umbrella SWG for user identification will expire on the 23rd December 2019. The certificate must be renewed, or users will be unable to authenticate when the certificate expires on the 23rd and will therefore be unable to browse via the Umbrella proxy.
Steps for renewing the certificate are below.
Option 1 (Recommended)
Use either the Umbrella SAML metadata or the updated certificate attached to this bulletin to update the Umbrella certificate on your Identity provider system. The Umbrella SAML metadata has been updated with a new certificate which is valid for two years.
To renew the SAML certificate you can also delete your SAML IdP configuration and re-add using the updated Umbrella SAML metadata.
Important Note: During the time the Identity provider is deleted, and reconfigured, users will be unable to authenticate. It is therefore recommended that before proceeding that you disable SAML in all your SWG policies and then re-enable once complete.
- Disable SAML authentication in all Umbrella SWG policies.
- Delete the current Umbrella SWG SAML identity Provider (Deployments > Configurations > SAML configuration).
- Reconfigure the Umbrella SWG identity provider. The Umbrella metadata file has been updated with the new certificate valid for two years. It is important that the new updated Umbrella metadata is used when configuring your identity provider to ensure you have the latest certificate (documentation: https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/configure-your-saml-idp).
- Once complete, use the ‘Test SAML’ option to confirm the setup and authentication process completes successfully.
- Re-enable SAML in the Umbrella SWG policies which were previously disabled in step 1.