Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
659
Views
0
Helpful
0
Comments

Updated SAML Certificate for SWG User Identity is Now Available

kwelkerm
Cisco Employee
Cisco Employee

on ‎04-17-2025 11:38 AM

Updated SAML Certificate for SWG User Identity is now available!

The Umbrella SAML certificate used for SWG User Identification will expire on the May 13, 2025, 07:00:46UTC, and you must update your Identity provider (IdP) with the new Umbrella SAML certificate before May 13, 2025, 07:00:46UTC.

Updating this certificate is essential to avoid SAML user authentication failures and loss of internet access for these users, unless your IDP has already been configured to monitor the Umbrella SAML metadata URL provided below. 

Download the updated SAML Metadata: 

https://api.umbrella.com/admin/v2/samlsp/certificates/Cisco_Umbrella_SP_Metadata.xml

Download the updated SAML Certificate:

https://api.umbrella.com/admin/v2/samlsp/certificates/Cisco_SP_Signing_Certificate_Apr2025.cer 

The metadata has been updated and includes both the current and the new signing certificate. At expiration of the current certificate, the new certificate will be used for signing. DO NOT delete any current certificates. Umbrella continues signing with the old certificate until the time of expiration.

This is an annual task, and the Umbrella metadata URL remains constant from previous years. When the certificate is renewed, we will update the metadata without changing the URL. This approach will support those identity providers, like ADFS and Ping Identity, that can monitor the relying party metadata URL and automatically update when the relying party metadata is updated with a new certificate.

For more information on renewal options see, https://support.umbrella.com/hc/en-us/articles/7079352658964

Note:

  • Some Identity Providers do not perform validation of SAML request signatures and therefore do not require our new certificate. If in doubt, please contact your Identity Provider vendor for confirmation.

  • If using the Umbrella SAML feature, Org-Specific EntityID feature, then you must not use URL-based metadata updates. Org-Specific Entity ID only applies if you have multiple Umbrella orgs linked to the same identity provider. In this scenario you should manually add the new certificate to each IDP configuration.

If you have any questions, please contact support.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents