“UPN Not Configured” Error – 26th November 2021
On 26th November 2021 the certificate used by Secure Web Gateway for signing SAML requests expired. Customers who have not taken action may receive...
- an Umbrella-branded “UPN Not Configured” error when browsing the web through SWG;
- or, some other error presented by the customer's Identity Provider.
This is a generic error that can occur for a number of reasons. In this scenario the error happens because the Identity Provider (IdP) does not trust the new Umbrella certificate.
New user logons for SWG will fail, blocking internet access. This does not necessarily apply to all users but will be triggered when:
- A user's session expires due to our re-authentication setting (Eg. daily)
- A new user logs on
- A user clears the browser cache or uses a new browser.
Ensure the new certificate has been imported to the Identity Provider. Cisco do not document the exact instructions for updating the certificate, because the steps required differ for each IdP platform. We strongly recommend contacting your IdP vendor for information about how to renew signing certificates in their platform.
It is important to remember that not all identity providers actually validate the signing certificate and no action is needed if authentication is working after 26th November.
Ensure the Certificate Revocation List (CRL) server addresses are accessible to the Identity Provider. Umbrella now use a different Certificate Authority so ensure the following CRL/OCSP addresses are available to the IdP server:
Microsoft ADFS Instructions
Microsoft ADFS is a popular IdP which is known to validate request signatures. The certificate can be updated as follows:
- Open ‘AD FS’ management
- Expand ‘Relying Party Trusts’ and locate the RP for Umbrella SWG
- Right-Click on the 'Relying Party' in ADFS and select 'Properties'
- Upload the new certificate on the ‘Signing’ tab
If you choose to reconfigure ADFS from scratch using the provided metadata (not recommended) you will also need to re-create the required Claims Map to prevent SAML authentication errors. A missing claims map will also cause a “UPN Not Configured” error.
Multiple Certificate Handling
The metadata provided by Cisco includes multiple certificates and Cisco take steps to allow for seamless certificate rollover - if the Identity Provider trusts both the old and new certificate.
In some cases an Identity Provider might not support multiple certificates. If you continue to experience authentication errors we recommend the following.
- Delete the gateway.id.swg.umbrella.com certificate which expired on 26th November 2021
- Ensure the current gateway.id.swg.umbrella.com certificate (expiring on 27th September 2022) is trusted.
Cisco provided notifications regarding this event on the Umbrella Dashboard and Announcement forum:
- First Notice - https://support.umbrella.com/hc/en-us/articles/4408058781972--Action-Required-Umbrella-SWG-SAML-Certificate-Expiring-November-2021-Second-Notice
- Second Notice - https://support.umbrella.com/hc/en-us/articles/4406590415892--Action-Required-Umbrella-SWG-SAML-Certificate-Expiring-November-2021