Skip to main content

 

Cisco Meraki Documentation

Okta SAML Integration

This article explains the integration of Okta for SAML authentication with Cisco Secure Connect via Umbrella. It covers configurations using metadata upload or manual setup, ensuring secure user identity support for Umbrella DNS and Secure Web Gateway (SWG). The guide details prerequisites, deployment steps, and how to configure Okta's provider metadata for seamless SAML-based authentication.

Overview

Okta for SAML configuration can be authenticated in one of two ways: By uploading the identity provider's (IdP) metadata file or by manually configuring with specific IdP fields. For provisioning Okta after configuration, see Provision Identities from Okta.

Prerequisites

  • id.swg.umbrella.com must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.

  • SAML metadata must have a signing key.

  • If you are using an on-premises identity provider (IdP) such as ADFS, ensure that your IDP Endpoint (the URL used to communicate with your identity provider) bypasses the Umbrella proxy to avoid an authentication loop.
  • Configure SAML with your identity provider (IdP) that supports SAML 2.0 POST profiles.

  • Download your IdP's metadata file in XML format.

  • Enable cookies for your browser.

  • Enable SAML and HTTPS inspection on a Ruleset that includes the Network and Tunnel identities from which the user traffic arrives.

Please visit  Configure SAML Integrations  and Prerequisites  for more information on prerequisites. 

Deployment

Configure Okta for SAML with Metadata Upload

1. Go to Secure Connect -> Identities & Connections -> Users, select your identity provider, click Connect under "Bring your own ID Provider".

 

1.IdP Picker Page.png

2. Then click Configure SAML in the next page, you will be then directed to Umbrella dashboard.

Inserting image...

3. Navigate to Deployments > Configuration > SAML Configuration and click Add.

clipboard_efa692e26719deeb59ee1547e53bbf9d5.png

4. Select Okta and click Next.

Notice: Turn on Organization-specific Entity ID Enabled to enable the entity if you have multiple Secure Connect Orgs and need to configure SAML authentication for these Orgs against the same IdP. Otherwise, leave it uncheck by default.

5. Select XML File Upload.

UMB_SAML_XML_upload.png

6. Download the Umbrella metadata file (SP metadata file) and click Next.

Do not use the Cisco Umbrella application within Okta.

This application is designed for the Umbrella dashboard and not for Secure Web Gateway users. You must configure Umbrella as a generic SAML 2.0 application within Okta.
For details on how to download Okta IdP metadata, please scroll down this page and check the section Configurations on Okta.

Okta does not provide a method to upload Umbrella metadata for automatic configuration. Extract the EntityID and AssertionConsumerService Location URLs from Umbrella metadata and add these to the applicable fields in Okta. Contact Okta support for assistance.

The Umbrella SP metadata includes the Service Provider Issuer ID, the assertion consumer endpoint URL information, and the SAML request signing certificate from Cisco Umbrella. This metadata is required when configuring your IdP for Umbrella.

Note: Your IdP must send the Cisco Umbrella User Principle Name in the NameID attribute in the SAML assertion. For more information on configuring your IdP, exporting your IdP metadata, obtaining your IdP details, or downloading your IdP signing certificate, refer to your vendor's documentation.

7. Upload your IdP's metadata file in XML format and click Next.
    For details on how to download Okta IdP metadata, please scroll down this page and check the section Configurations on Okta.

UMB_SAML_Upload metadata.png

8. From the Re-Authenticate Users drop-down list, choose how often Umbrella re-authenticates users: NeverDailyWeekly, or Monthly.

UMB_SAML_Daily:Never.png

9. Click Save. Your new configuration appears as SAML Web Proxy Configuration.
Okta - SAML - Finish page.png

Configure Okta for SAML Manually

  1. Navigate to Deployments > Configuration > SAML Configuration and click Add.

clipboard_eb1ebaecbbe172b6e599f9e6e25557d92.png

2. Select Okta and click Next.

3. Select Manual Configuration.

UMB_SAML_Manual Configuration.png

4. Download the Umbrella metadata file (SP metadata file) and click Next.

The Umbrella SP metadata includes the Service Provider Issuer ID, the assertion consumer endpoint URL information, and the SAML request signing certificate from Cisco Umbrella. This metadata is required when configuring your IdP for Umbrella.

5. Enter the appropriate information to configure Okta's provider metadata and click Next.
    For details on how to access Okta IdP metadata, please scroll down this page and check the section Configurations on Okta.

  • Entity ID—A globally unique name for an identity provider
  • Endpoint—The URL used to communicate with your identity provider.
  • Signing Keys—Your identity provider’s x.509 certificate used to sign the authentication request.
  • Signed Authentication Request (optional)—You can sign the authentication request for this IdP.

UMB_SAML_Manual Configuration - in detail.png

6. From the Re-Authenticate Users drop-down list, choose how often Umbrella re-authenticates users: NeverDailyWeekly, or Monthly.

UMB_SAML_Daily:Never.png

  1. Click Save. Your new configuration appears as SAML Web Proxy Configuration.
    Okta - SAML - Finish page.png

Configurations on Okta

1. Go to Okta -> Applications -> Applications and click Create App Integration.

Application -> Application.png

2. Select SAML 2.0 in the new window and click Next.

Okta - SAML - Create APP integration.png

3. As the first step to create SAML integration, type in App name and click Next.

create a SAML integration.png

4. For Single sign-on URL, please put https://gateway.id.swg.umbrella.com/...h/acs/response. Or you can also find in Umbrella Metadata file which you downloaded from earlier step in Configure Okta for SAML with Metadata Upload -> Step 5.

Single sign-on URL_Okta.png

  • Single sign-on URL in Umbrella Metadata file

Single sign-on URL_UMB.png

5. For Audience URI (SP Entity ID), please put saml.gateway.id.swg.umbrella.com. Or you can also find in Umbrella Metadata file which you downloaded from earlier step in Configure Okta for SAML with Metadata Upload -> Step 5.

Audience URI (SP Entity ID)_Okta.png

  • Single Audience URI (SP Entity ID) in Umbrella Metadata file

Audience URI (SP Entity ID)_UMB.png

6. For Name ID format and Application username, you can select, for exmaple, EmailAddress and Email, for your own SAML processing rules. Once done, leave the rest as default and click Next. Finish the Okta survey questions in the next page and click Finish.

Name ID:Format.png

Saml_Done.png

7. Now you finish all the required steps on Okta and are redirected to the Secure_Connect_SAML_integration main page. To download the metadata for uploading on the Umbrella side, scross the page down, under Sign On -> SAML Signing Certificates section, click Actions next to the active certificate and click View IdP metadata, save it in a .xml format and upload to the Umbrella side (Configure Okta for SAML with Metadata Upload -> Step 7).

Okta_SAML_finishing page.png