Skip to main content

Cisco Umbrella SAML integration

Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so you can extend data protection to devices, remote users, and distributed locations anywhere. Arculix by SecureAuth, offers a simple method for adding MFA to Cisco Umbrella through its SAML solution.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Cisco Umbrella.

  • The address must be sent to the Umbrella secure web gateway (SWG) and not sent directly to the internet.

  • Ensure that the Arculix URL bypasses the Umbrella proxy to avoid an authentication loop.

  • Enable SAML and HTTPS inspection on a ruleset that includes the Network and Tunnel identities from which the user traffic arrives.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Cisco Umbrella and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Cisco Umbrella.


    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    Enter the Entity ID for Cisco Umbrella.

    By default, this ID should be


    You can check this URL in the Cisco Umbrella SAML metadata.

    Log in URL 

    Enter the Log In URL for Cisco Umbrella.

    By default, it should be


    You can check this URL in the Cisco Umbrella SAML metadata.

    NameID Format 

    Set to Email Address.

    Name Identifier 

    Set to Email.

    ACS URL 

    Enter the SAML consumer URL provided for Cisco Umbrella.

    For example,


    You can check this URL in the Cisco Umbrella SAML metadata.


    Set the algorithm to SHA256.

  5. Save your changes.

Cisco Umbrella configuration

In this section, you'll configure Cisco Umbrella as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download:<myorganization>/saml/download/metadata

    View metadata:<myorganization>/saml/metadata

  2. Log in to Cisco Umbrella with an administrative account.

  3. On the left side, click Admin > Authentication.

  4. On the SAML Dashboard User Configuration page, click ENABLE SAML.

  5. Select the Other option, then NEXT.

  6. You can either download the Cisco Umbrella SAML metadata or copy the metadata from the text box and click NEXT.

    Make sure the data you specified in the previous section matches the text that appears in this box.

  7. Select the XML File Upload option, upload the Arculix metadata, then click NEXT.

  8. To verify your configuration and SAML metadata, click TEST CONFIGURATION.

  9. A new window displays a QR code; scan this QR code and then you should see a success message.

  10. Click NEXT.

  11. On the Save and Notify page, select both check boxes, and click SAVE AND NOTIFY USERS.


Test your application integration

  1. Go to the Cisco Umbrella SSO page, enter your email, and click LOG IN.

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  3. After successful authentication, select your preferred MFA method to approve access to the Cisco Umbrella application.

    Select MFA method
  4. You will be redirected and logged in to Cisco Umbrella.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.