Cisco Umbrella seems to have updated SAML endpoints, can't sign in

ac513 · ‎09-11-2023

For a few years we've been doing SAML authentication to Azure AD for Cisco Umbrella. Logins have worked fine through https://login.umbrella.com/sso or the Azure AD URL of https://myapps.microsoft.com/signin/[appId]?tenantId=[ourtenant]. Logged in successfully last Thursday.

Tried to login today, and https://login.umbrella.com/sso now seems to redirect to https://login.opendns.com/sso. SSO through this endpoint obviously is not working.

I hadn't gotten any alerts from Cisco that these endpoints were changing to reflect OpenDNS's domain. In fact, I just renewed our signing cert & refreshed metadata between Umbrella and Azure AD back in July... No mention of new URLs at all.

So we're now effectively locked out of our admin UI. Creating a TAC case now to see about getting back in.

Anyone else experiencing this?

EDIT: This self-resolved sometime today. (12SEP2023) Umbrella' SSO page still redirected to an OpenDNS SSO page at start of business today.. But then SSO to Azure AD began working correctly when I last tried 10 minutes while attempting to get some screenshots. Guessing this may have been premature DNS changes?

ac513 · ‎09-12-2023

This self-resolved sometime today. (12SEP2023) Umbrella' SSO page still redirected to an OpenDNS SSO page at start of business today.. But then SSO to Azure AD began working correctly when I last tried 10 minutes while attempting to get some screenshots. Guessing this may have been premature DNS changes?

Also, on this subject -- Am I missing something or can we not create non-SSO user accounts for break-glass scenarios? I didn't see it long ago, and I still don't see such an option. Any user we create is under the scope of SSO, so if there's weirdness on that front like in this post, we're locked out.