Configure SAML Authentication for SWG with ADFS and UPN

Available Languages

Download Options

  • PDF     (26.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (102.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (147.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 29, 2025
Document ID:225086

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure SAML authentication for Secure Web Gateway (SWG) using Active Directory Federated Services (ADFS).

    Requirement for SAML Authentication

    Umbrella SAML authentication requires the SAML response to include the end user’s userPrincipalName (for example, user@domain.local) as the Name ID claim. This requirement applies to all Identity Providers. Some, such as ADFS, require manual configuration to include this attribute.

    Configuration Steps in ADFS

    1. In ADFS, select theRelying Party Trustcreated for Umbrella underADFS > Relying Party Trusts.
    2. ClickEdit Claim Issuance Policy.
    3. Add a new rule using the claim templateSend LDAP Attribute as claims.
    4. Configure the rule to map the LDAP attributeuserPrincipalNameto the SAML outgoing claim typeName ID.
      Screenshot_2021-10-20_at_12.33.50.pngScreenshot_2021-10-20_at_12.33.50.png
    5. Save the configuration.


    UPN Versus E-Mail Address

    A user’s UPN (for example, user@domain.local) often matches the user’s e-mail address. In some environments, the e-mail address (for example, user@externaldomain.tld) differs from the UPN.

    • Umbrella requires the Identity Provider to send theName IDclaim with the UPN value.
    • This must match the username provisioned inDeployments > Users and Groupsin Umbrella.
    • Umbrella user provisioning tools (such as the AD Connector) identify users by their UPN.

    Revision History

    Revision Publish Date Comments
    1.0
    01-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products