How to Configure SAML 2.0 for Cisco Umbrella
This setup might fail without parameter values that are customized for your organization. Please use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.
Read this before you enable SAML
Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page. They will only be able to access the app through the Okta service.
Cisco Umbrella does not provide backup log-in url where users can sign-in using their normal username and password. You can email Cisco Umbrella support to turn off SAML, if necessary.
The Okta/Cisco Umbrella SAML integration currently supports the following features:
- IdP-initiated SSO
- SP-initiated SSO
For more information on the listed features, visit the Okta Glossary.
Login to your Cisco Umbrella account.
Navigate to Admin > Authentication, then click ENABLE SAML:
Select Okta, then click NEXT:
Follow the steps below:
Save the following metadata as metadata.xml, then select XML File Upload and upload it to Cisco Umbrella:
Click TEST CONFIGURATION to verify the SAML settings:
Wait for the Success! message, then click NEXT:
Select all the checkboxes,then click SAVE AND NOTIFY USERS:
Go to: https://login.umbrella.com/sso
Enter your Email, then click LOG IN:
Configuring SAML SSO for Cisco Umbrella
These steps will guide you through setting up the single sign-on functionality between ADSelfService Plus and Cisco Umbrella.
Login to ADSelfService Plus as an administrator.
Navigate to Configuration → Self-service → Password Sync/Single Sign-on.
Search for Cisco Umbrella and select it.
Click Download SSO Certificate link in the top-right corner of the screen.
In the pop-up that appears, copy the Login URL and download the metadata file by clicking on the Download Metadata file.
Cisco Umbrella (Service Provider) configuration steps
Login to Cisco Umbrella with an administrator’s credentials.
Navigate to Settings → Authentication → SAML
Under Choose Provider tab, click Other and click Next.
Under Upload Metadata tab, choose the downloaded metadata file in Step 5 of Prerequisite.
Now, validate your SSO configuration with SSP.
ADSelfService Plus (Identity Provider) configuration steps
Now, switch to ADSelfService Plus’ Cisco Umbrella configuration page.
In the Domain Name field, enter the domain name of your email address. For example, if you use [email protected] to log in to Cisco Umbrella, then thinktodaytech.com is the domain name.
In the Available Policies field, click on the drop-down box and select the policies for which you wish to enable single sign-on.
Click Save and log out of ADSelfService Plus.
For Cisco Umbrella, only SP initiated flow is supported.
Go to Top
Cisco Umbrella: SSO Login Issues
While setting up Single-Sign On (SSO) for Cisco Umbrella, there was a need to convert existing Umbrella accounts to use SSO. What should have been a straight-forward process turned out to be cumbersome. From getting an error that SSO was not working, to an account having been locked out for 10 minutes, or being redirected to the OpenDNS portal instead of Umbrella — needless to say, Cisco/OpenDNS caused some confusion. In this post, I will:
- Briefly explain what Umbrella is and why SSO is important for security and the user experience
- Go over some SSO security considerations
- Share how we troubleshot the problem
- Uncover what the cause was
- Present how we fixed the issue
At the end of the article, I will summarize the exact steps needed to get an Umbrella account converted to use SSO.
In 2006, OpenDNS was founded to help, among other goals, speed up DNS queries and make the web safer to browse. It later created Umbrella and was acquired by Cisco a few years after. In essence, Umbrella proxies DNS requests to secure traffic — almost like Websense, a web filtering and content gateway solution — except it does so by looking at the DNS level. Clients go through its public DNS servers, and predefined policies decide what Internet resource can and cannot be visited. This makes for a quick, first layer of defense against malicious websites and other types of threats. The product can also perform SSL decryption to gain some (not complete) visibility into encrypted traffic.
Single-Sign On (SSO) allows for an individual to sign into one or more services with one account and password instead of having one for each resource. In addition, administrators can better manage access to resources through a central identity provider (IdP), such as Azure AD, and enforce policies like multi-factor authentication, auditing, and compliance rules.
In this post, I will not dive into how to set up SSO. Umbrella configuration with Azure AD, for instance, was actually quite straight-forward through the exchange of Metadata XML files between the IdP and Service Provider (SP). Instead, this is for readers who already have SSO configured correctly and enabled for their instance of Umbrella, but ran into the issue of converting existing Umbrella accounts to use SSO.
Native or SSO Login
Umbrella allows you to sign in with either a native, local (to Umbrella), non-SSO account or via SSO. Once you enable Single-Sign On, one should ONLY be able to log in through that method, and the native, local way should cease to function. This ensures that the user cannot bypass SSO by simply using the non-SSO Umbrella username and password.
What some administrators may not realize, however, is that some service providers (like Concur) may allow a user to sign in with both methods: the non-SSO and SSO way (instead of ONLY allowing the latter.) Why is that a security issue?
Let’s look at what should happen when an employee leaves a company:
- Account gets disabled on the identity provider side (like Active Directory and Azure AD)
- SSO is blocked for the user
- Access to local resources is cut off
- Access to cloud resources stops
- Note: this may not happen immediately as SAML Access and Refresh tokens may not yet have expired
- When the former employee tries to reset the password to his SSO and non-SSO accounts, this should not be possible
- Email access should also not be available to prevent password recovery
So, what if the employee knows the password to his non-SSO login? What if he had performed a password reset for it prior to being terminated? Despite SSO being disabled, he could still access the resource. That’s where a disgruntled employee could potentially cause damage to the organization.
If the native, non-SSO login cannot be disabled, at minimum, change its account password to something the user (and admin) does not know, and block the ability to reset it.
Allowing both non-SSO and SSO sign-on is a potential security and compliance issue
Prevent Non-SSO Login
The importance of preventing non-SSO login once SSO is enabled cannot be stressed enough to ensure that an employee can no longer access the resource upon termination or in unauthorized ways. This can be accomplished in various ways, depending on what the service provider supports:
- Only allow SSO login (by disabling non-SSO access)
- Change the non-SSO password to something the user does not know
- Prevent the password reset of the non-SSO account
The last one is of special note: If the user has the ability to change the non-SSO password, he or she may do so prior to being terminated. The person has now gained the ability to log in through both SSO and non-SSO. When the employee (and SSO account) is terminated, because he knows the non-SSO credential, he could still log in without anybody knowing.
A terminated employee may still have the ability to log in despite the SSO account having been disabled
During testing, my colleague (who wishes to remain anonymous) and I discovered that there was no option to reset the existing Umbrella account’s password. You could only Delete. That’s fair in preventing an administrator to sign in as someone else. Delete and re-add the account with the NameID Claim the SAML configuration is expecting. Generally, that is the email address. The person would receive an email with an invitation to sign in to Umbrella, and the account status would be “Pending”:
- Old Invite
- Account Status
Take note of the Invitation Email: it greets the user and states that someone has sent an invitation to join Umbrella. Remember this for later.
Once you click on “Confirm Invite”, the user is taken to https://login.umbrella.com, and oddly, one of several things may occur:
- SSO is not available for the account
- Account is locked out for 10 minutes due to too many, invalid attempts
- User lands on the OpenDNS portal instead of Umbrella
Why did SSO not work? Why did OpenDNS pop up, and what is its relationship with Umbrella? The Umbrella dashboard still showed the user as “Pending”.
If you recall, OpenDNS created Umbrella and was later purchased by Cisco. What we later found was that even though the invited account was not “Active” in Umbrella, the same identity also existed on the OpenDNS portal side. This conflict prevented Umbrella to complete its invitation process. Who knew? Furthermore, if the user was already logged in to Umbrella, next time he visited the site, he was logged on to OpenDNS instead. How do we remove that conflict?
Delete the OpenDNS Account
We had to find a way to delete the OpenDNS account so one could complete the Umbrella SSO invitation. To do so, one must gain access to their shadow OpenDNS account. But there was a problem: the user’s non-SSO Umbrella password did not work at https://login.opendns.com. One would have to perform a Password Recovery. More on that later.
If the user was already logged in to OpenDNS, try deleting the OpenDNS account by going to the My Account tab > Delete Account > provide the current password and click the “Delete Account” button as shown below:
Did account deletion work? No. The Umbrella password entered was invalid even if you typed it in right:
In short, even though the OpenDNS account existed, we did not know what its password was. It was not the same as what was used to log in to Umbrella.
OpenDNS Password Reset
To delete the OpenDNS account, one must first perform a password recovery. Provide the email address for the Umbrella account to reset, and an email should be received with a link to set a new password:
- Password Reset
- Recovery Email
- Set New Password
Once the user has gained access to his OpenDNS account, he can now delete it:
Re-Invite to Umbrella
The Umbrella administrator needs to remove the user’s invitation and send a new one. With the OpenDNS account conflict gone, the user will now get a different invitation email from what was received previously (right). In the new one (left), it no longer shows who sent the invite.
- New Invite
- Old Invite
The user can now “click this link” from the invitation email, taking him to the SSO login page where he inputs the email address for the account. SSO will now sign him in, the account will change to “Active” in the Umbrella dashboard, and he can even try to log in through the non-SSO login page. Note: No matter what password is entered on the non-SSO login, SSO will take over. If Multi-Factor Authentication has been set up for Azure AD, the account may even get challenged with it, depending on the configured MFA policies.
Umbrella SSO Password Recovery
I had previously shared that when SSO is enabled for an account, the user should NOT be allowed to reset the password for the non-SSO Umbrella account. Password changes should be handled from the Identity Provider (IdP) side, such as Active Directory or Azure AD, for centralized account management and security.
Indeed, with SSO now properly working with Umbrella, trying to perform a password recovery will result in an error, as it should:
Let’s summarize the steps needed to convert an Umbrella native account to use SSO.
- Take note of the user’s Umbrella account email address and assigned role
- Delete the user’s Umbrella account
- Direct user to https://login.opendns.com and click on the “Forgot Password?” link
- An email from OpenDNS will be sent to the user to set a new password
- From the OpenDNS Dashboard, have the user go to: My Account tab > Delete Account > provide the newly-set password > click on Delete Account button
- Create a new Umbrella invitation with the user’s email address and desired role
- User should get an invitation email with a link to the Umbrella SSO login page
- After providing the account’s email address, the user should be logged in to Umbrella
Converting a service provider’s native accounts to SSO should be a pain-free process with as little involvement from the users as possible. As can be seen here, Cisco and OpenDNS have some integration challenges to work out, forcing us to have the users perform a password recovery and account deletion before their SSO could be enabled. Thankfully, our Umbrella users are all technical and were not too bothered by having to do some legwork.
With Cisco Umbrella logs in Perch, you can store, search, report, or get notifications of threat activity in Umbrella logs; or have the SOC review them for signs of threat.
To start logging your Cisco Umbrella logs to Perch, you will need a few pieces of information from Umbrella. Review the Cisco Umbrella Log Management documentation to set up Cisco Umbrella and enable the integration.
Perch will accept all Cisco Umbrella logs but you may choose to either:
- Log All Requests: For full logging, whether for content, security or otherwise
- Log Only Security Events: For security logging only, which gives your users more privacy — a good setting for people with the roaming client installed on personal devices
When you create a policy, activity logs are by default saved to the North America – California, US Cisco-managed S3 bucket for your organization.
You may optionally configure Umbrella to log to your own S3 bucket. Perch is compatible with all Cisco-managed S3 buckets or your corporate S3 bucket.
Set up Umbrella logging
A Cisco-managed S3 bucket is the easiest to configure. Follow these steps to log to the Cisco-managed S3 bucket. Data can be stored for up to 30 days in the S3 bucket, but with the Perch integration, you can store your Cisco Umbrella data for as long as you like.
When you activate logging, you will be presented with information necessary to set up the Perch integration with Cisco Umbrella.
Keep track of your Data Path (including AWS Region), Access Key, and Secret Key in a secure location. You will enter this information into Perch.
If you are an MSP, activate logging on a per-customer basis
Set up the Cisco Umbrella-Perch integration
To connect Perch to your Cisco Umbrella logs, login to Perch. Select the company name from the organization picker for which you will setup the integration. Navigate the Settings on the left hand navigation. Scroll down to the Integrations section of the settings page. You will see a list of integrations that include Cisco Umbrella.
Click “Install” next to the right of the Cisco Umbrella icon in Integrations section. Installation just takes a second to enable your account. You will see a successful message pop up at the bottom of the screen. After a successful install you will be taken to the Perch page to configure integration.
Now just fill out the integration settings with the required information.
Insert your Access Key, Secret Key, and Data Path in the Authentication Section. Additionally, you will need to select the AWS Region.
You can then Save or Save and Test your configuration. Once the configuration is saved, you can toggle on Cisco Umbrella log collection in the Configuration section.
Perch will report integration health every time it pulls logs. If there is an error, you will see it in the integration health section. You can get more details from the API call about why an error may be occurring. If there is an error, it is likely related to credentials or network issues between Perch cloud and the Cisco-managed AWS bucket.
Still having trouble? Reach out to one or our specialists at [email protected]
Login umbrella cisco
Steps to configure single sign-on for Cisco Umbrella:
- Log in to Zoho Vault as an administrator.
- Navigate to Apps > Manage Apps > Add Supported App.
- Search for and select Cisco Umbrella.
- Click Next.
- Copy the Zoho Vault details or download the details as a metadata file by clicking the Download MetaData File option.
- Click Next.
- Select which users will have single sign-on permissions for Cisco Umbrella. You can revoke user access at any time.
- Click Save.
Cisco Umbrella configuration steps:
- Log in to Cisco Umbrella as an administrator.
- Navigate to Admin > Authentication.
- Click SAML > Next.
- Click Next in the Instructions tab.
- Paste the certificate, login URL, and logout URL copied from the Zoho Vault IdP details page.
- In the Validate tab that open, click TEST YOUR SAML CONFIGURATION.
- Enter your Cisco Umbrella email in the corresponding field and click Login via SAML.
- Wait for the success message and agree to the terms and conditions box "I have read and understood all of the above."
Duo Single Sign-On for Cisco Umbrella
Was this page helpful? Let us know how we can make it better.
As business applications move from on-premises to cloud hosted solutions, users experience password fatigue due to disparate logons for different applications. Single sign-on (SSO) technologies seek to unify identities across systems and reduce the number of different credentials a user has to remember or input to gain access to resources.
While SSO is convenient for users, it presents new security challenges. If a user's primary password is compromised, attackers may be able to gain access to multiple resources. In addition, as sensitive information makes its way to cloud-hosted services it is even more important to secure access by implementing two-factor authentication.
About Duo Single Sign-On
Duo Single Sign-On is our cloud-hosted SSO product which layers Duo's strong authentication and flexible policy engine on top of Cisco Umbrella logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or any SAML 2.0 IdP and prompting for two-factor authentication before permitting access to Cisco Umbrella.
Duo Single Sign-On is available in Duo Beyond, Duo Access, and Duo MFA plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Cisco Umbrella. Duo checks the user, device, and network against an application's policy before allowing access to the application.
Configure Single Sign-On
Before configuring Cisco Umbrella you'll first need to enable Duo Single Sign-On for your Duo account and configure a working authentication source.
Once you have your SSO authentication source working, continue to the next step of creating the Cisco Umbrella application in Duo.
Create the Cisco Umbrella Application in Duo
Log on to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the entry for Cisco Umbrella with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Cisco Umbrella. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Cisco Umbrella page under Downloads later.
Cisco Umbrella uses the Mail attribute when authenticating. We've mapped the <Email Address> bridge attribute to Duo Single Sign-On supported authentication source attributes as follows:
Bridge Attribute Active Directory SAML IdP <Email Address>
If you are using a non-standard email attribute for your authentication source, check the Custom attributes box and enter the name of the attribute you wish to use instead.
You can adjust additional settings for your new SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy.
Scroll to the bottom of the page and click the Save button.
Duo Universal Prompt
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
|Universal Prompt||Traditional Prompt|
We've already updated the Duo Cisco Umbrella application hosted in Duo's service to support the Universal Prompt, so there's no action required on your part to update the application itself. You can activate the Universal Prompt experience for users of new and existing Duo Cisco Umbrella applications from the Duo Admin Panel.
Before you activate the Universal Prompt for your application, it's a good idea to read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
Activate Universal Prompt
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options:
- Show traditional prompt: (Default) Your users experience Duo's traditional prompt when logging in to this application.
- Show new Universal Prompt: Your users experience the Universal Prompt when logging in to this application.
Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt.
Universal Update Progress
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Configure Cisco Umbrella SSO
Configure Duo Single Sign-On as a new SSO provider in Cisco Umbrella.
Log on to Cisco Umbrella as an administrative user and navigate to Admin → Authentication and under "SAML Dashboard User Configuration" click on Enable SAML.
When asked "Which SAML based SSO Service would you like to use?" click Other and then click Next.
On the Umbrella Metadata page click Next.
Click Download XML next to "XML file" under Downloads on your Cisco Umbrella application's details page in the Duo Admin Panel to download the Duo Single Sign-On XML metadata file. On the Cisco Umbrella Upload and Verify Other Metadata page under "XML File Upload" click Or select a file... and select the XML metadata file.
Click Test Configuration. A pop-up will appear and redirect to the Duo Single Sign-On login page. Enter your primary directory logon information and approve Duo two-factor authentication. You will see a "Success" message. Close this window, return to the configuration page, and click Next
You will be asked to accept terms and conditions and click Save and Notify Users. This will enable SSO and send an email to your employees notifying them of the change.
Learn more about Cisco Umbrella SSO at the Cisco Umbrella Support site.
Log in with SSO
Navigate to the Cisco Umbrella login page and click the Single sign on link. Enter your email address and click Sign In. This redirects you to Duo Single Sign-On to enter your primary directory logon information. For example, this is the SSO login page when your authentication source is Active Directory.
Successful verification of your primary credentials redirects you to Duo. Complete Duo two-factor authentication when prompted and then you'll return to Umbrella to complete the login process.
*Universal Prompt experience shown.
You can also log into Cisco Umbrella using Duo Central, our cloud-hosted portal which allows users to access all of their applications in one spot. Link to Cisco Umbrella in Duo Central by adding it as an application tile. Once the tile has been added, log into Duo Central and click the tile for Cisco Umbrella.
Congratulations! Your Cisco Umbrella users now authenticate using Duo Single Sign-On.
Enable Remembered Devices
To minimize additional Duo two-factor prompts when switching between Cisco Umbrella and your other Duo Single Sign-On SAML applications, be sure to apply a shared "Remembered Devices" policy to your SAML applications.
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.
- Cut off head prop
- Live in housekeeping jobs
- Chrysler 300 srt8
- 6ft mini usb cable
- Pvr client connection lost
- Descargar musica me
- Harley bagger mid controls
- Darlington dragway 2020 schedule
- Golf shaft vise clamp
- 2015 chevy camaro recall
Secure access to Cisco Umbrella with SAASPASS multi-factor authentication (MFA) and secure single sign-on (SSO) and integrate it with SAML in no time and with no coding. Log into your Cisco Umbrella services securely without ever having to remember passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).
You can enable Cisco Umbrella login with SAASPASS secure single sign-on (SSO) and provide your users the ability to login to Cisco Umbrella and other SAASPASS integrated apps, all at once.
Enable Cisco Umbrella login with SAASPASS secure single sign-on (SSO) and allow users to login to Cisco Umbrella and other SAASPASS integrated apps, all at once.
Two-step verification and secure single sign-on with SAASPASS will help keep your firm’s Cisco Umbrella access secure.
Provide the easiest to use and most convenient secure access to Cisco Umbrella with SAASPASS two-factor authentication and single sign-on (SSO) with SAML integration. Integration requires no coding and takes a matter of minutes. Log into your Cisco Umbrella securely without remembering passwords on both your computer and mobile with SAASPASS Instant Login (Proximity, Scan Barcode, On-Device Login and Remote Login).
You can integrate SAASPASS with Active Directory. SAASPASS supports SAML and RESTful APIs as well.
The SAASPASS app works on nearly every device on the market today: Android phones, Android tablets, iPhones, iPads, Blackberrys and Java ME feature phones.
Enable Cisco Umbrella login with SAASPASS secure single sign-on (SSO) and allow your users to login to Cisco Umbrella and other SAASPASS integrated applications, all at once.
Secure single sign-on (SSO) and two-step verification with SAASPASS will help keep your firm’s Cisco Umbrella secure.