Configure SAML for Multiple EntityIDs

When you have multiple Umbrella orgs and need to configure SAML for Umbrella SWG for these orgs against the same Identity Provider (IdP), some IdPs may not allow this configuration. This is because the Umbrella SAML configuration has a default common EntityID of saml.gateway.id.swg.umbrella.com. Umbrella allows you to override the SAML EntityID on a per-org basis.

Table of Contents

• Prerequisites
• Configure SAML for Multiple EntityIDs with Metadata Upload
• Configure SAML for Multiple EntityIDs Manually

Prerequisites

• id.swg.umbrella.com must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.
• SAML metadata must have a signing key.
• If you are using an on-premises identity provider (IdP) such as ADFS, ensure that traffic to the IdP bypasses the proxy to avoid an authentication loop.
• Configure SAML with your identity provider (IdP) that supports SAML 2.0 POST profiles.
• Download your IdP's metadata file in XML format.
• Enable cookies for your browser.
• Enable SAML and HTTPS inspection on a Ruleset that includes the Network and Tunnel identities from which the user traffic arrives.

Configure SAML for Multiple EntityIDs with Metadata Upload

1. Navigate to Deployments > Configuration > SAML Configuration and click Add.

2. Select the IdP you want to configure for multiple orgs, click the Org-specific Entity ID, and click Next.

3. Download the Umbrella metadata file (SP metadata file), choose XML file Upload, and click Next.
   Note: The Umbrella metadata file still contains the global EntityID (saml.gateway.id.swg.umbrella.com) and not the org-specific EntityID.

4. Upload your IdP's metadata file in XML format and click Next.

5. From the Re-Authenticate Users drop-down list, choose how often Umbrella re-authenticates users: Never, Daily, Weekly, or Monthly.

6. Click Save.
7. Update the Entity ID in your IdP to match the org-specific Entity ID.
   The Umbrella metadata file download contains the global EntityID only (saml.gateway.id.swg.umbrella.com), however, after the configuration is complete, Umbrella displays the org-specific Entity ID for this IdP. Copy and paste this into your IdP for the Entity ID.

Configure SAML for Multiple EntityIDs Manually

1. Navigate to Deployments > Configuration > SAML Configuration and click Add.

2. Select the IdP you want to configure for multiple orgs, click the Org-specific Entity ID, and click Next.

3. Download the Umbrella metadata file (SP metadata file), choose Manual Configuration, and click Next.
   Note: The Umbrella metadata file still contains the global EntityID (saml.gateway.id.swg.umbrella.com) and not the org-specific EntityID.

4. Enter the appropriate information to configure the IdP's metadata and click Next.

• Entity ID—A globally unique name for an identity provider
• Endpoint—The URL used to communicate with your identity provider.
• Signing Keys—Your identity provider’s x.509 certificate used to sign the authentication request.
• Signed Authentication Request (optional)—You can sign the authentication request for this IdP.

5. Click Save.
6. Update the Entity ID in your IdP to match the org-specific Entity ID.
   The Umbrella metadata file download contains the global EntityID only (saml.gateway.id.swg.umbrella.com), however, after the configuration is complete, Umbrella displays the org-specific Entity ID for this IdP. Copy and paste this into your IdP for the Entity ID.

Enable IP Surrogates for SAML < Configure SAML for Multiple EntityIDs > Provision Identities from Active Directory