browse
Cisco Umbrella now supports provisioning user and group identities from Azure Active Directory and Okta. These integrations are based on the SCIM standard.
Use cases supported:
a. Umbrella SWG:
- Import user and group identities from Azure AD/Okta in conjunction with setting up SAML authentication against Azure AD/Okta for end users that are connecting to SWG via an IPsec tunnel, PAC files or proxy chaining.
- Import user and group identities from Azure AD to enable user identification for the AnyConnect SWG module on devices that are authenticating against on-prem AD or Azure AD.
- Import user and group identities from Okta to enable user identification for the AnyConnect SWG module on devices that are authenticating against on-prem AD.
b. Umbrella DNS:
- Import user and group identities from Azure AD to enable user identification for AnyConnect DNS module/Roaming Client on devices that are authenticating against on-prem AD or Azure AD.
- Import user and group identities from Okta to enable user identification for AnyConnect DNS module/Roaming Client on devices that are authenticating against on-prem AD.
Constraints:
- Azure AD/Okta cannot provide user identity integration for Umbrella Virtual Appliances (VAs). This is because Azure AD/Okta does not have visibility of the private IP – user mappings, which are required by the VAs. VA deployments will continue to require deployment of an on-premise Umbrella AD connector to facilitate AD integration.
- Concurrent deployment of the same user/group identities from on-premise AD and Azure AD/Okta is not supported. If customer has previously deployed an on-premise AD connector to provision users and groups, and is now looking to provision the same user and group identities from Azure AD/Okta, they will mandatorily need to stop the AD connector before turning on the Azure AD/Okta provisioning.
- There is no limit to the number of users that can be provisioned from Azure AD/Okta. For groups, a maximum of 200 groups can be provisioned from Azure AD/Okta to an Umbrella org. Azure AD supports dynamic groups, so customer can create an ‘All Users’ group, and provision this group along with up to 199 other groups on which they want to define Umbrella policy. Okta similarly has a built-in Everyone group, so customer can provision this group along with up to 199 other groups on which they want to define policy.
- AnyConnect SWG does not support a SAML authentication against Azure AD. It relies on the same passive authentication mechanism that is used with the on-premise AD.
To provision identities from either of these Identity providers, you can follow the instructions documented at the links below:
- Provision identities from Azure AD: https://docs.umbrella.com/umbrella-user-guide/docs/microsoft-azure-ad-integration
- Provision identities from Okta: https://docs.umbrella.com/umbrella-user-guide/docs/okta-integration