Overview

This article appplies to SAML for Secure Web Gateway authentication, using Microsoft ADFS as the Identity Provider.  

Umbrella's SAML service requires that the SAML response includes the end users' userPrincipalName (eg. user@domain.local) attribute in the SAML response.  This applies to all IdPs, but some (like ADFS) require manual configuration to allow this.

How To

• In ADFS, select the 'Relying Party Trust' created for Umbrella in 'ADFS > Relying Party Trusts'
• Click on 'Edit Claim Issuance Policy'
• Add a Rule and use claim template 'Send LDAP Attribute as claims'
• Configure the Rule to map the LDAP attribute 'userPrincipalName' to the SAML outgoing claim type 'Name ID' as pictured below.

UPN vs. E-Mail Address

The user's UPN (eg. user@domain.local) typically matches the users' e-mail address.  However, in some cases the user will have an e-mail address that differs (eg. user@externaldomain.tld) to the UPN.   

Umbrella still requires that the IdP send a "Name ID" claim with the UPN value so that this matches the username provisioned in Umbrellas 'Deployments > Users and Groups' page.   Umbrella's user provisioning (such as the Umbrella AD Connector) identify users by their UPN.