Get Started with Single Sign-On

Umbrella supports Security Assertion Markup Language (SAML) for authentication. This allows you to provide single sign-on (SSO) access to your Umbrella dashboard.

SAML works for Umbrella the same way SAML does with all other service providers. From a high level, all the users in your organization have their authentication managed by the SSO, or identity provider (IdP). Umbrella establishes a trust relationship with the IdP and then allows them to authenticate and seamlessly log into Umbrella. Effectively, once a user has authenticated to the SSO IdP, they can automatically log in via the app (in the case of an IdP service).

Any changes made in your SSO provider are immediately synced with Umbrella. If you add an account or change a password in your SSO provider, it is immediately reflected in your login. Only the username (email address) is stored in Umbrella; however, the email must match your SSO provider and the one used to log in to Umbrella.

Note: SSO for Umbrella is only tied to authentication to the dashboard. It is not tied to the authorization for a user's access level within the Umbrella dashboard, such as whether the user is an Administrator or a Read-Only user. For more information about user roles, see Manage User Roles.


Note: SAML will not work with AnyConnect Roaming Security Module and SWG. AnyConnect will not redirect to the IDP.

How SSO Changes Logging In

By changing the way in which users log into Umbrella, several key things will happen that you should be aware of.

  • Block Page Bypass (BPB) Users will no longer work to bypass block pages or authenticate in any capacity to Umbrella. A BPB user is a user just like any other in Umbrella, but because of the way authentication is handled by SSO, it cannot be used to bypass block pages. Instead, you must use BPB codes. For more information, see Setting up a Block Page, a Block Page Bypass User, and a Block Page Bypass Code.
  • If you update dynamic IPs, you will no longer be able to use the Updater client. Instead, cURL or wget can be used along with an update-only password, which can be generated by Support. For more information, see Cisco Umbrella Dynamic Update API. To acquire an update-only password, contact Support at [email protected].
  • When you enable SSO, every user with an account in your Umbrella organization will receive an email informing them to log in through your SSO provider. Only make the change when your organization's staff is ready to commit to the change.
  • If a user is not configured in your SSO provider, they will not be able to log in until they are added to your SSO provider. Ensure that every user that needs to log in to the Umbrella dashboard is added to your SSO provider.
  • If you disable SSO, every user of your Umbrella organization will receive an email asking them to reset their passwords. Previous passwords are not stored and must be reset.
  • Changes to SSO cannot be made without disabling and re-enabling SSO.

Disable Two-Step Verification < Get Started with Single Sign-On > Enable SSO with Duo