Login

Cisco Security Cloud Control Administration Guide

About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
Platform Services for all Products
- Manage Security Devices
- Manage Objects
- Global Search
  - Initiate Full Indexing
  - Perform a Global Search
- Preview and Deploy Configuration Changes for All Devices
- Additional Configuration Assistance
- Integrate Identity Services Engine with Security Cloud Control
- Organization Notification Settings
- Security Cloud Control Platform Navigator
- Give us your Feedback
Managing Organizations
- Setting a Region for an Organization
- Create an Organization
- Rename an organization
- Switch organizations
- Cisco Support Access to your Organization
  - Enable Cisco Support Access
  - Disable support access
Managing Products and Subscriptions
- Overview of Subscription Process
- Single Product Instance in an Organization
- Claim a Subscription
- Activate a Product Instance
  - Activate an Inactive Product Instance
  - Activate an Externally Managed Product Instance
  - Activation Code to Activate Externally Managed Product Instance
  - Activate a Product Instance with Further Inputs
- View Product Subscription Details
- Deactivate a Product Instance
Onboard Devices to Security Cloud Control
- Secure ASA Onboarding Methods
- Secure Firewall Threat Defense Onboarding Methods
- On-Premises Firewall Management Center Onboarding Methods
- Meraki Security Appliance Onboarding Methods
- Cisco IOS Device Onboarding Methods
- Secure Firewall Chassis Manager Onboarding Methods
- AWS Virtual Private Cloud Onboarding Methods
- Cisco Umbrella Organization Onboarding Methods
Managing Role-Based Access Control
- Role-Based Access Control in an Organization
  - Managing Users
  - Managing Groups
  - Managing Roles
- Invite a User
- Import Users
- View or Find Users
- Edit a User Name
- Assign Roles to a User
- Add a User to Groups
- Assign Roles to Existing Users
- Remove Role Assignments
- Create a Custom Role
- Edit a Custom Role
- Delete a Custom Role
- Custom Role for Cisco Secure Workload
- Reset Multifactor Authentication Settings
- Reset User Password
- Disable a User Account
- Restore a User Account
- Remove a User Account
- Create a New Group
- Edit a Group Name
- Add Users to a Group
- Assign Roles to Groups
- Remove users from a group
- Delete a Group
- Manage Role Delegation
- Logging the Events
  - View the Activity Log
Managing Domains
- Overview
- Claim and verify a domain
Managing Identity Provider Group Mapping
- Identity Provider Group Map
- Map Identity Provider Group
- Edit an identity provider group mapping
- Link an External Identity Provider
- Delink an External Identity Provider
Integrating Identity Providers
- Prerequisites
- SAML Response Requirements
- Step 1: Initial setup
- Step 2: Provide Security Cloud SAML metadata to your identity provider
- Step 3: Provide SAML metadata from your IdP to Security Cloud
- Step 4: Test your SAML integration
- Step 5: Activate the integration
- Troubleshooting SAML errors
Identity Service Provider Instructions
- Integrating Auth0 with Security Cloud Sign On
- Integrating Microsoft Entra ID with Security Cloud Sign On
- Integrating Duo with Security Cloud Sign On
- Integrating Google Identity with Security Cloud Sign On
- Integrating Okta with Security Cloud Sign On
- Integrating Ping Identity with Security Cloud Sign On

Platform Secure Firewall Threat Defense Virtual

Activity Manage

Integrating Identity Providers Step 2: Provide Security Cloud SAML metadata to your identity provider

Last updated: Jul 17, 2025

Step 2: Provide Security Cloud SAML metadata to your identity provider

In this step you'll configure your identity provider's SAML application with the SAML metadata and signing certificate provided by Security Cloud Control. This includes the following:

Single Sign-On Service URL – Also called the Assertion Consumer Service (ACS) URL, this is the where your identity provider sends its SAML response after authenticating a user.
Entity ID – Also called Audience URI, this uniquely identifies Security Cloud Sign On to your identity provider.
Signing certificate – The X.509 signing certificate your identity provider uses to verify the signature sent by Security Cloud Sign On in authentication requests.

Security Cloud provides this information in a single SAML metadata file that you can upload to your identity provider (if supported), and as individual values, you can copy and paste. See Identity Service Provider Instructions for steps specific to several commercially available identity service providers.

Procedure

1	From the Identity Providers > Edit identity provider > Configure page, download the SAML metadata file if your identity provider supports it; otherwise, copy the Single Sign-On Service and Entity ID values, and download the Public certificate.
2	On your identity provider, open the SAML application that you want to integrate with Security Cloud Sign On.
3	If supported by your provider, upload the SAML metadata file; otherwise, copy and paste the required Security Cloud Sign On SAML URIs into the corresponding configuration fields in your SAML application, and upload Security Cloud Sign On public signing certificate.
4	Configure your SAML application with the Security Cloud Sign On SAML metadata that you obtained in the previous step, either by importing the XML metadata file or manually entering the SSO Service URL and Entity ID values, and uploading the public signing certificate.
5	Return to Security Cloud Control and click Next.

What to do next

Next you'll provide Security Cloud Control with the corresponding metadata for your identity provider's SAML application.

Previous topic Step 1: Initial setup Next topic Step 3: Provide SAML metadata from your IdP to Security Cloud