Configure Duo Security for Cisco Umbrella SAML

Duo Security for SAML configuration can be authenticated in one of the following ways:

  • Upload the identity provider's (IdP) metadata file
  • Manually configure IdP fields

Table of Contents


  • Cisco Duo Single Sign On (SSO) must be enabled and configured. For more information, see Duo Single Sign-On.
  • must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.
  • SAML metadata must have a signing key.
  • Ensure that your IDP Endpoint—the URL used to communicate with your identity provider—bypasses the Umbrella proxy to avoid an authentication loop.
  • Configure SAML with your identity provider (IdP) that supports SAML 2.0 POST profiles.
  • Download your IdP's metadata file in XML format.
  • Enable cookies for your browser.
  • Enable SAML and HTTPS inspection on a Ruleset that includes the Network and Tunnel identities from which the user traffic arrives.

Configure Cisco Duo Single Sign On (SSO) Application

  1. Log in to the Duo admin portal, navigate to Applications, and click Protect an Application.
  2. Search for Cisco Umbrella (End Users) with the protection type 2FA with SSO hosted by Duo (Single Sign-On).
  3. Click Protect to start configuring Cisco Umbrella (End Users).
  4. Umbrella uses the Mail attribute, Username attribute, First name attribute, Last name attribute, and Display name attribute when authenticating. Duo allows you to choose either Active Directory or a SAML Identity Provider as your Duo Single Sign-On supported authentication source attributes. Configure Umbrella using your chosen Duo SSO supported authentication source attributes, which can be mapped to the Bridge Attributes as follows:
Bridge AttributeActive DirectorySAML IdP
<Display Name>displayNameDisplayName
<Email Address>mailEmail
<First Name>givenNameFirstName
<Last Name>snLastName
  1. If you are using non-standard attributes for your authentication source, check the Custom attributes box and enter the name of the attributes you wish to use instead.
  1. You can adjust additional settings for your new SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy.
  2. Navigate to Downloads and click Download XML to download the Duo Security XML file.

Configure Cisco Umbrella for SAML with Metadata Upload

  1. Navigate to Deployments > Configuration > SAML Configuration and click Add.
  1. Click the Duo Security radio button, toggle the Organization-specific Entity ID Enabled button to enable the entity ID, then click Next.
  1. Click the XML File Upload radio button, and then click Next.
  1. Upload your Duo Security metadata file in XML format and click Next.
  1. Choose how often Umbrella re-authenticates the users from the Re-authenticate Web Proxy Users drop-down list. Make sure Daily is selected.
  1. Click Save. Your new configuration appears as SAML Web Proxy Configuration.

Configure AD FS for SAML < Configure Duo Security for Cisco Umbrella SAML > Configure PingID for SAML