Skip to main content
Cisco Meraki Documentation

Cisco Secure Connect - SecureX Integration

Cisco SecureX Sign-On is an authentication method where you can log in to Dashboard from the SecureX Sign-On page. It allows you to easily access Cisco security products, with the same set of credentials and from any device. Once you sign in with your username and password, your SecureX Sign-On home page displays all your Cisco products as apps in one customizable dashboard.

SecureX Sign-On uses Security Assertion Markup Language (SAML) which is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The advantages of using SecureX Sign-On include easier management of credentials for Cisco security products. In addition, customers get Duo 2-factor-authentication enabled by default. 

This guide provides an overview of how to integrate Secure X with Cisco Secure Connect and use it as a single sing-on (SSO) between Cisco Umbrella and Secure Connect Dashboards. The SecureX integration Requires us to go through three steps:

1.) Create an account for SecureX 

2.) Enabling SecureX Sign-on in Secure Connect Dashboard 

3.) Enabling SecureX Sign-on in Umbrella Dashboard 

1.) Create an account for SecureX  

Go to https://sign-on.security.cisco.com

If you have a SecureX sign-on account:

a.     Enter your username. Your security image is displayed automatically, if you've previously completed a successful sign-in on the web browser you're using. This feature requires browser cookies.

clipboard_eb0768bca4f98e95e17ee9756fc8c04e0.png

Caution 

If you've successfully signed in on the current web browser before and have not cleared cookies, do not enter your password if your security image does not display when you enter your username. If your security image does not appear, close the web browser, and confirm that you're using the correct web address to sign in. Then, open a new web browser window, type the web address in manually, and enter your username. If your security image is still not displayed, please contact your product support team.

b.     Click Next and enter your password.

c.    Click Sign In. If you see the Unable to sign in error message, your username and password do not match those specified for your profile, or you do not have access permission. Please contact your product support team.

d.    At the Duo MFA prompt, push a notification to your registered device, and tap approve on it to authenticate.

 

Or, you may choose to continue by using an alternate account:

clipboard_e693de2bd60c506841d4f91148c3cfcb6.png

 

Sign in with Cisco.com if you're a Cisco employee or customer with a Cisco.com account used solely by you.

Sign in with Microsoft if your company maintains employee accounts in Microsoft Azure Active Directory.

If you don't have a SecureX sign-on account:

a.     Click Create a SecureX Sign-On.

clipboard_e7a92c574b830decd9216310cf85c34df.png

b.     Complete the form, and click Register.

c.    Find the "Activate Account" email from no-reply at Cisco, and click Activate Account.

d.     Set up MFA by configuring Duo Security. Two-factor authentication (a type of MFA) enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password.

e.    Choose a device and follow the prompts to register the device. For more information, see Duo Guide to MFA and Device Enrollment. If you already have the Duo app on your device, you'll receive an activation code for this account. Duo supports multiple accounts on one device.

f.     For additional security, we recommend that you register at least two different devices. Click +Add another device and follow the prompts to register another device. For more information, see Duo Guide to MFA and Device Management.

g.    Once your device is paired with your account, click Finish. Optionally, existing users of Google Authenticator for MFA can add it here as a backup factor by clicking Setup Google Authenticator and following the prompts.

h.     Choose a "forgot password" question and its answer.

i.    Add a phone number for resetting your password or unlocking your account using SMS: useful when you don't have access to your email account and need a text message with a recovery code sent to you.

j.     Choose a security image.

k. Click Create my account

2.) Enabling SecureX Sign-on in Secure Connect Dashboard  

 

Navigate to Organization > Settings and click the SecureX Sign-On checkbox under the Authentication section.

Picture1.jpg

 

Once enabled, every time a new Dashboard user is created under Organization > Administrators, you will see an option to choose if that user would use SecureX Sign-On to login to Dashboard.

Picture2.jpg

 

Meraki cannot migrate existing users to use SecureX Sign-On, the option to allow SecureX Sign-On login will only be presented when creating a new user.

Note: The email address for the new administrator cannot match an existing Dashboard administrator or Meraki Authentication user's email address.

 

The Dashboard login page will request you to enter your email address. If the email has SecureX Sign-On enabled, you will be redirected to sign-on.security.cisco.com 

Multiple Organization Access 

 

SecureX allows administrators the ability to access multiple Dashboard organizations when using the same email address. If a user that already has access to at least one organization is added to an additional organization, the user account status will show up in the latter organization as 'Unverified', as seen below.

Picture3.jpg

 

On the next successful login, the new user will be prompted to accept permissions into the new organization.

picture5.png

 

After selecting 'Yes', the new user account status will be 'Ok' and they will be granted access to the organization.

Selecting 'No' at this prompt will delete the unverified user from the organization.

 

3.) Enabling Secure X Sign-on in Umbrella Dashboard  

1.     Navigate to Admin > Authentication.

2.     In the SAML Dashboard User Configuration section, click Enable SAML.

3.     Select Cisco SecureX Sign-On and click Next.

clipboard_e816fddb71a73e59c9158d6b5e9f3ff88.png

ALL USERS in Org MUST Have a Cisco SecureX Sign-On Account

Enabling Cisco SecureX Sign-On as a SAML provider requires a Cisco SecureX Sign-On account assigned to your Umbrella application. Any users without an account will not be able to authenticate to the Umbrella dashboard.

4.     Click Cisco SecureX Sign-On to create a Cisco SecureX Sign-On account and on the following window click Sign up. For more information about creating this account, see Cisco SecureX Sign-On Quickstart Guide.

clipboard_e8597423e4f941a148df52191b6fda416.png

5.     Once an account is created, return to step 2 of the configuration in Umbrella. Click Test Configuration.

clipboard_ec3c8787efe3e9a2285ff615650fb2ea8.png

6.     Sign in with the credentials provided when you created the Cisco SecureX Sign-In account.

clipboard_ef53cc4e3b2622a130711e37f2d98ad66.png

7.     You are prompted to log in with Duo Security as the second factor of authentication.

clipboard_ec20ee29069c08d195d15416bc917d931.png

There is an optional third factor of authentication with Google Authentication, but only Duo Security is mandatory. Once the authentication is complete a success modal appears:

clipboard_ebdad063db4463126fc89e3fd13f4febf.png

8.     Dismiss the modal and return to step 2 of the configuration in Umbrella. If the configuration is complete, a success message appears.

clipboard_e2994548e66f284efa0cb74f0b51db891.png

Test Configuration

The Test Configuration must be performed and successful for the set-up to complete.

9.     Click Next. The third step of the configuration appears informing you:

·       This single sign-on service will now be required going forward.

·       Umbrella will send an email to all dashboard users (not end-users) and a message to all admins in the dashboard to inform them of the mandatory SSO and that passwords are no longer accepted.

·       If the SSO is disabled in the future all users will be emailed a link to reset their passwords as old passwords will not be accepted.

·       Block page bypass users will no longer function once SAML is enabled.

10.  Check both boxes to acknowledge the information and click Save and Notify Users. Both boxes are required to be checked before saving the configuration.

clipboard_e0672750afc07a5ef14d67a1986cfaa70.png

Cisco SecureX Sign-On is now enabled in your org. All users receive an email informing them of the required SSO.

clipboard_ee04dc1bfbef2e49e35b6460f2d17039e.png

 

Disabling the Cisco SecureX Sign-On

1.     Navigate to Admin > Authentication.

2.     In the SAML Dashboard User Configuration section, you see that the status of SAML is currently Enabled. To disable the Cisco SecureX Sign-On click Disable.

clipboard_ee570318e9d331310c9f385c63bb57871.png

3.     A message prompts you with more information on what will occur when SAML is disabled. To continue, click Disable SAML.

clipboard_ee55254e879dbd2cd0066dbcdd1c2a2f4.png

All dashboard users receive an email to reset their passwords when logging into Umbrella as old passwords will no longer be accepted.

 

 

  • Was this article helpful?