Troubleshoot Certificates for SAML with AD FS and Umbrella

Available Languages

Download Options

  • PDF     (33.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (106.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (94.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 3, 2025
Document ID:225137

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes whether or not it is possible to change just the certificate for SAML with AD FS and Umbrella.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco Umbrella.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    If you are using SAML to integrate your Umbrella Dashboard logins with Active Directory Federation Services (AD FS), occasionally you can have a requirement to change the certificate being used.

    If this certificate has already been changed in ADFS, your Dashboard users are likely to see an error similar to this screenshot when trying to log into the Dashboard:

    "Signature validation failed. SAML Response rejected."

    Error Signature Validation failed. SAML Response Rejected.360001725103

    Solution

    The certificate information is incorporated in the metadata that is taken from your ADFS environment and uploaded to the Umbrella Dashboard during the SAML setup. Unfortunately, there is no way to change just the certificate. 

    You are also unable to disable SAML because you cannot be able to log into the Dashboard. At this stage, it is best to contact Cisco Umbrella Support, who can quickly disable the SAML integration for you.

    note-icon

    Note: When SAML is disabled, ALL Dashboard users receive a password reset email in order to allow them to regain access to the Dashboard. You must inform them about this email before Cisco Umbrella Support disables the integration.

    You can then run through the standard SAML setup steps to export the metadata from ADFS and import this into the Dashboard once again when setting SAML up again.

    Revision History

    Revision Publish Date Comments
    1.0
    03-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products