Enable SSO (SAML) in Multi-Org Console

It helps to configure the Multi-org or MSP console for Cisco Umbrella to integrate with your specific Single Sign-On (SSO) provider with SAML. For configuration SAML, see Get Started with Single Sign-On.

Note: SSO configuration is not available for any accounts of MSSP, PPoV, or other consoles that uses Cisco CEC login.

If you currently login through Cisco CEC login, you will not be able to use another SSO provider. Access to Umbrella is defined by the access level (level 3) on the Cisco partner account.


The Multi-org or MSP console does not currently support SAML directly from the console and must be enabled in a child organization. To enable SSO for a console admin, do the following steps:

  1. Create a new child organization called Single Sign-On. This organization will be empty except for SSO users.
  2. Create a new user in the Single Sign-On organization. This user will be used to configure SAML and must exist in your identity provider.
    Note: You cannot configure the SAML using Multi-org or MSP admin without adding the admin to the child organization directly. Errors may include a File Not Found message.
  3. Verify that the currently logged in user is an admin and listed under Admin > Accounts on the dashboard you are configuring the SSO.
  4. Log in to the Umbrella dashboard as a new Single Sign-On user.
  5. Configure SSO (SAML) in this new organization.
  6. Invite existing administrators into this organization as a read-only from the child organization dashboard. After acceptance, they will be a member of management console and this single organization. Now, the users require to login through SSO and is no longer required an account password.
  7. Ensure that you do not add a given user more than one SSO enabled child organization. Doing so will lock the user out of the dashboard completely until another admin removes the admin from the second SSO enabled organization.


Q: Can I use my own SSO if I have an MSSP or Partner portal?
A: No. You must use the Cisco IT Okta partner portal. Access to Umbrella is determined by your Okta access level. Revoked or disabled accounts have no access to Umbrella.

Q: Does the SSO in one child organization apply to all logins for the user?
A: Yes. The user must login through SSO and cannot access any organizations without authenticating with SSO.

Q: Can I enable SSO on multiple child organizations?
A: Yes; however, we strongly recommend no more than one child organization be configured for SSO. Add the users to the Single Sign-On organization as a read-only user to enforce SSO for any account.

Q: Why read-only?
A: This is not required. It enables any account to be added to the organization without the ability to change any settings in this empty organization.

Q: What happens if a user is added to a second organization with SSO enabled?
A: The user will no longer be able to login. Remove the user from at least one of the SSO organizations or contact support to restore the user's access.

Q: When configuring SAML, the verification test fails. I am not prompted to login. A FILE NOT FOUND error might be seen.
A: This happens when SAML configuration is attempting to use an MSP/Multi-Org Admin. Configure SAML by using an account that exists in Single Sign On organization.

Other References

Get Started with Single Sign-On

Enable SSO with Other IDPs < Enable SSO (SAML) in Multi-Org Console