Understand Additional Steps for Enabling AD Connector-Synced Web SAML Users

Available Languages

Download Options

  • PDF     (8.3 KB)
    View with Adobe Reader on a variety of devices
Updated:September 10, 2025
Document ID:224859

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes what additional steps are needed after enabling AD Connector-Synced Web SAML Users.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Umbrella Secure Internet Gateway (SIG).

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    This article refers to the setup process of provisioning SAML bypass in the Secure Web Gateway for your Active Directory users. This is accomplished with the steps in the Umbrella documentation: Provision Users to Umbrella Automatically Using AD Connector Based Provisioning.

    This article serves as a troubleshooting guide for adding users into your Web policies.  

    Common Issues and Additional Resources

    The most common issue with adding AD Connector provisioned AD users for your web policies is during the initial setup. As noted in the provisioning documentation linked here and earlier, a connector restart for every AD Connector deployed to your organization is required before AD users are expected to appear in your dashboard.

    Issues can appear as:

    Fewer AD Users Appear in Web Policies than DNS Policies

    • This is due to AD Connector only sending a change-only directory sync. This is standard connector operation.
    • To resolve, delete the domainname.data file in Program Files (x86)\OpenDNS\ for the AD Connector and restart the connector services on all AD Connectors on your organization.
    • This forces a full AD Tree sync. Wait 6 hours for the tree sync to finish.

    No AD Users on Web Policy, Users on DNS Policies

    • Perform the steps from the "Fewer AD users" section earlier.

    No AD Users on Web or DNS Policies

    • Ensure an AD connector is provisioned fully with the steps in the Umbrella documentation.
    • Contact Umbrella Support if you are experiencing any difficulties.

    No "Default Web Policy"

    • Contact Umbrella Support as soon as possible.

    Revision History

    Revision Publish Date Comments
    1.0
    11-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products