SAML Certificate Renewal Options
Umbrella's Secure Web Gateway (SWG) supports identity management with SAML authentication through identity providers (IdPs). Some IdPs require that you periodically update the Umbrella SAML request signing certificate. If your IdP requires verification of the SAML certificate, you can configure automatic renewals of the certificate or manually import the Umbrella SAML signing certificate.
Note: Since many IDPs do not validate SAML request signatures, you may not have to renew your Umbrella SAML certificate. Contact your IdP to confirm if you need to renew your certificate.
Table of Contents
- Automatic Configuration Through the Umbrella Fixed Metadata URL
- Manual Import of the Umbrella Signing Certificate
Automatic Configuration Through the Umbrella Fixed Metadata URL
Configure your IdP to import the Umbrella SAML certificate from a fixed metadata URL without manual intervention.
Prerequisites
- An IdP that supports automatic updates of service provider metadata from a URL. Both Microsoft ADFS and Ping Identity can import the Umbrella SAML certificate from a fixed metadata URL.
- Your IdP must have access to:
- The Umbrella metadata URL:
https://api.umbrella.com/admin/v2/samlsp/certificates/Cisco_Umbrella_SP_Metadata.xml - The associated Certificate Authority (CA) URLs: http://r3.o.lencr.org/ and http://r3.i.lencr.org.
- The Umbrella metadata URL:
- Your IdP must have access to the CA URLs for the SAML certificate:
- Your IdP must support TLS 1.2. Umbrella requires that your IdP connect over TLS 1.2 to the Umbrella metadata URL. If your IdP application uses .NET framework 4.6.1 or earlier, you may need additional configuration. For more information, see Microsoft .NET framework's documentation.
For information about configuring Microsoft ADFS with the fixed metadata URL, see SWG SAML - Utilizing Umbrella's Fixed Metadata URL.
Manual Import of the Umbrella Signing Certificate
If your IdP does not support automatic renewal of the Umbrella SAML certificate, you must manually add the new certificate at the time of renewal into your IdP. For more information about manually importing the Umbrella certificate, see SWG SAML - Utilizing Umbrella's Fixed Metadata URL.
Prerequisites < SAML Certificate Renewal Options > Configure Azure AD for SAML
Updated about 1 year ago