Integrate Umbrella with NetIQ for SSO with SAML

Available Languages

Download Options

  • PDF     (748.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (895.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (855.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 14, 2025
Document ID:225213

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to integrate Cisco Umbrella with NetIQ for Single Sign-on (SSO) with SAML.

    Overview of Umbrella SAML Integration for NetIQ

    Configuring SAML with NetIQ differs from our other SAML integrations as it is not a one or two click process in the wizard, but requires changes in NetIQ to work correctly. This document describes the detailed modifications you need to make in order to get SAML and NetIQ working together. As such, this information is provided "as is" and was developed in conjunction with existing customers. Available support for this solution is limited and Cisco Umbrella support is unable to assist beyond the general outline given here.

    For more information on how SAML integration works with Umbrella, read our review here: Get Started with Single Sign-On.

    Integrate Umbrella with NetIQ for SSO with SAML - SAML 2.0 tab115000348788

    Prerequisites

    You can find steps to get through the initial SAML setup here: Identity Integrations: Prerequisites. Once you complete those steps which include downloading the Cisco Umbrella metadata, you can continue using these NetIQ specific instructions to complete the configuration.

    The metadata can be found in the Cisco Umbrella SAML setup wizard (Settings > Authentication > SAML).

    Integrate Umbrella with NetIQ for SSO with SAML - step 2 OpenDNS Metadata115001332488

    Import Metadata and Cisco Umbrella Certificate

    1. Open the Cisco Umbrella metadata (downloaded in the prerequisites) in a text editor and extract the X509 certificate. The certificate begins with ds:X509Certificate and ends with /ds:X509Certificate - just copy from the very beginning to the end.
    2. Save this new file as CiscoUmbrella.cer.
    3. Convert the x509 certificate to PKCS7 / PEM. Methods for this vary, but this command does the trick: openssl x509 -in CiscoUmbrella.cer -out CiscoUmbrella.pem -outform PEM
    4. In NetIQ, launch NAM under Trusted Roots.
    5. Select New > Browse and import CiscoUmbrella.pem.

      Integrate Umbrella with NetIQ for SSO with SAML - import certificate115000349367

    Create an Attribute Group

    1. Go to Identity Servers > NetIQ NAM.
    2. Click Attribute Sets.
    3. Select New and map the LDAP Attributes:

      Integrate Umbrella with NetIQ for SSO with SAML - Mapping Local Attributes115000349567

    Create a New Trust Provider

    1. Go to the IDP General Tab and select SAML 2.0.
    2. Select Create New Trust Provider.

      Integrate Umbrella with NetIQ for SSO with SAML - SAML 2.0 tab115000348788

      Integrate Umbrella with NetIQ for SSO with SAML - Configuration for trust115000349827

    3. Select the Attribute you just created and choose Send with Authentication. For Authentication Response choose Post Binding, Persistent, Transient, and Unspecified.
    4. Select LDAP Attribute: mail [LDAP Attribute Profile] and make it default.

      Integrate Umbrella with NetIQ for SSO with SAML - Configuration for authentication response115000355688

    5. Navigate to to Configuration > Intersite Transfer Service. Give it a name like Cisco Umbrella SAML and add the Cisco Umbrella SSO login URL as a Target (https://login.umbrella.com/sso).

      Integrate Umbrella with NetIQ for SSO with SAML - Configuration for intersite transfer service115000356827

    6. Go to Configuration > Options and choose Kerberos as the Selected contracts:

      Integrate Umbrella with NetIQ for SSO with SAML - Configuration options115000356068

    7. Open the Cisco Umbrella Metadata file. Update the EntityDescription field vaildUntil date to a future data, such as 2020-12-10T20:50:59Z (as shown in the screenshot).
    8. Go back to NetIQ > Metadata and import the updated metadata file.

      Integrate Umbrella with NetIQ for SSO with SAML - Metadata view115000357147

    9. Add a class to the assertion. The Cisco Umbrella assertion requires the class urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    10. Go to Local > Contracts and select Secure Name/Password and add to Allowable Class field, then add the class above:

      Integrate Umbrella with NetIQ for SSO with SAML - secure name/password115000357247

    11. Update Identity Services and Access Gateways to ensure they are valid and up to date, then download the NetIQ metadata.
    12. Use the downloaded metadata to run through the Cisco Umbrella "Other" SAML wizard. Step 3 is where you are asked to upload the metadata:

      Integrate Umbrella with NetIQ for SSO with SAML - step 3 Upload Metadata115001186107

    Revision History

    Revision Publish Date Comments
    1.0
    14-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products