Cisco Secure Connect - IdP Azure AD SAML Configuration
Overview
This guide will provide you the steps to configure Security Assertion Markup Language (SAML) authentication with Active Directory (AD), providing individual user and group-based identities for policy enforcement.
Deployment
Access the Cisco Umbrella Dashboard
Go to Secure Connect -> Identities & Connections -> Users. If you have not already setup SCIM, you will see the screen below.
- Select your identity provider, click Connect under "Bring your own ID Provider".
- Click Configure SAML to get to the Umbrella Dashboard.
If you have already configure SCIM, when clicking on Secure Connect -> Identities & Connections -> Users you see the page below. Click on User Groups to get to the Umbrella Dashboard.
Configuring the IdP Integration
You use the Azure Active Directory Admin Center to add an enterprise application (Cisco Umbrella) to your Azure Active Directory (Azure AD) tenant. You will configure Cisco Umbrella as a SAML based SSO provider.
To complete the Azure configuration, you first need to download the Umbrella metadata file
Step 1 On Cisco Umbrella, navigate to Deployments->Configuration->SAML Configuration and click Add
Step 2 Select Azure as your Identity Provide (IdP) and click Next
Step 3 On the resulting screen, select Download the Umbrella Metatdata file and leave this screen open. You will pick up configuration from this point later.
Step 4 Go to the Azure Active Directory Admin Center and sign in
Step 5 In the left menu, select Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant.
Step 6 In the Enterprise applications pane, select New Application.
Note: The Browse Azure AD Gallery pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Cisco Umbrella is listed twice in this gallery, however, these listings are not applicable for this use case-SAML authentication of remote access users.
Step 7 Select Create your own application and enter a name that you want to use to recognize the instance of the application. For example, SAML for Cisco Umbrella for RAS.
Step 8 Select Integrate any other application you don’t find in the gallery (non-gallery)
Step 9 Select Create
Step 10 In the resulting Overview screen, select Assign users and groups
Step 11 On the resulting screen, select Add user/group
Step 12 On the resulting Add Assignment pane, select None Selected under Users and groups.
Search for and select the user that you want to assign to the application. For example, user1@yourdomain.com.
Step 13 Select Select.
Step 14 On the Add Assignment pane, select Assign at the bottom of the pane.
Enable Single-Sign On
Now that you’ve selected your users, in the Manage section of the left menu select Single sign-on to open Single sign-on pane for editing
Step 15 Select the SAML tile to continue
Step 16 On the resulting screen, select Upload metadata file. This is the xml file that you downloaded from Cisco Umbrella from step 3.
Step 17 Once the upload is successful, click Save on the resulting Basic SAML Configuration pane
Step 18 Scroll down to the SAML Signing Certificate section and download the Federation Metadata XML
Step 19 Now upload this Azure metadata xml file to Cisco Umbrella ( where you left off at Step 3 above) and click Next
Step 20 From the Re-Authenticate Users drop-down list, choose how often Umbrella re-authenticates users: Never, Daily, Weekly, or Monthly
Step 21 Click Save.
Step 22 To verify that the integration is successful, press the Test Configuration button
A success looks like this:
If you receive a failure, go back to Azure and click the Test button and follow the resolution guidance provided.
Next Steps
see Cisco+ Secure Connect Azure SCIM Integration