SAML single sign-on (SSO) authentication for logging into the Umbrella dashboard is a separate topic. For information on configuring SAML SSO, see Enable Single Sign-On.
Because Umbrella is not an open proxy, Umbrella must trust the source forwarding web traffic to it. This can be accomplished by assigning either a Network or Tunnel identity to a ruleset of the Web policy. Rulesets created in this fashion apply broadly to any web traffic originating from the network or tunnel. However, to create more granular policies for users or groups, SAML can be implemented.
gateway.id.swg.umbrella.com must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.
Identities obtained from SAML can be matched to users and groups which have have been provisioned by manually importing a CSV file from Active Directory (AD), or automatically by using AD-based provisioning with the Umbrella AD Connector.
When configuring a ruleset for the Web policy to obtain the identity through SAML, you must enable SAML and HTTPS inspection. HTTPS Inspection is required because Umbrella needs to see into HTTPS packets for the SAML cookie acting as the authentication token/surrogate. Umbrella also requires that you install a root certificate on all client machines egressing from networks or tunnels where SAML is enabled. For more information about the Web policy, see [Add a Ruleset to Umbrella's Web Policy](doc:add-a-rules-based-policy.
- SAML metadata must have a signing key.
- If you are using an on-premises IDP such as ADFS, ensure that traffic to the IDP bypasses the proxy to avoid an authentication loop.
- Configure SAML with your Identity Provider (IdP) that supports SAML 2.0 POST profiles.
- Download your IdP's metadata file in XML format.
- Configure the Connector for automatic provisioning of users and groups. For more information about configuring the Connector, see the Active Directory Setup Guide.
- Export your Active Directory user and group objects to a CSV file. We recommend using CSVDE.EXE from a domain controller. Refer to Microsoft's documentation for instructions on using this utility, Command-Line Reference: Csvde.
Updated about a month ago