Prerequisites
To configure SAML integration, the following requirements must be met.
- id.swg.umbrella.com must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.
- SAML metadata must have a signing key.
- If you are using an on-premises identity provider (IdP) such as ADFS, ensure that traffic to the IdP bypasses the proxy to avoid an authentication loop.
- Configure SAML with your identity provider (IdP) that supports SAML 2.0 POST profiles.
- Download your IdP's metadata file in XML format.
- Enable cookies for your browser.
- Enable SAML and HTTPS inspection on a Ruleset that includes the Network and Tunnel identities from which the user traffic arrives.
This Ruleset will initially match and result in the SAML challenge being initiated. The user identity will be obtained after which, the web policy will be re-evaluated again, top down, but this time with the user and group identities included. The first Ruleset to match based on the identities will be applied. Typically, there are two approaches to creating the policy that include users/group:
Example 1
- Ruleset with users and group identities
- Rules based user/group identities
- Ruleset with tunnel and network identities (HTTPS and SAML enabled)
- Rules based on Network/Tunnel identities
Example 2
- Ruleset with Network/Tunnel and User/Group identities (HTTPS and SAML enabled)
- Rules based user/group identities
- Rules based on Network/Tunnel identities
In both examples, the Ruleset with the Network/Tunnel identities will match first. The SAML challenge will be sent, user identities obtained and, the policy re-evaluated but this time with the additional user/group identities. The first Ruleset to match, top down, will be the one applied.
Note: AnyConnect sends the logged-on user identity along with the web request. Since the user identity is already available the SAML challenge is not sent. The policy can be evaluated the first time around.
Configure SAML Integrations < Prerequisites > SAML Certificate Renewal Options
Updated about 1 year ago