Login

Security Cloud Control Getting Started Guide for Existing Customers

Before you Begin
- Is This Guide For you
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- Getting Started Workflow
Signing in to Security Cloud Control
- Signing in to Security Cloud Control
- Overview of Security Cloud Sign On
- Products Supported by Security Cloud Sign On
- Creating a Security Cloud Sign On Account
Your Landing Page
- Set Your Default Landing Page
Organizations and Regions
- Create an Organization
Add a Domain
- Claim and verify a domain
Integrate an Identity Provider
- Prerequisites
- SAML Response Requirements
- Step 1: Initial setup
- Step 2: Provide Security Cloud SAML metadata to your identity provider
- Step 3: Provide SAML metadata from your IdP to Security Cloud
- Step 4: Test your SAML integration
- Step 5: Activate the integration
- Troubleshooting SAML errors
Role-Based Access Control (RBAC)
- Role-Based Access Control in an Organization
- Invite a User
- Import Users
- Create a New Group
- Add Users to a Group
- Assign Roles to Groups
Claim Your Product Subscriptions
- Overview of Subscription Process
- Enable Firewall in Security Cloud Control
- Claim a Subscription
- Activate a Product Instance
  - Activate an Inactive Product Instance
  - Activate an Externally Managed Product Instance
  - Activation Code to Activate Externally Managed Product Instance
  - Activate a Product Instance with Further Inputs
Onboard Devices to Security Cloud Control
- Secure ASA Onboarding Methods
- Secure Firewall Threat Defense Onboarding Methods
- On-Premises Firewall Management Center Onboarding Methods
- Meraki Security Appliance Onboarding Methods
- Cisco IOS Device Onboarding Methods
- Secure Firewall Chassis Manager Onboarding Methods
- AWS Virtual Private Cloud Onboarding Methods
- Cisco Umbrella Organization Onboarding Methods
Next Steps
- Additional Configuration Assistance
Additional Documentation and Support
- AI Defense Documentation
- Firewall in Security Cloud Control Documentation
- Multicloud Defense Documentation
- Secure Access Documentation
- Secure Workload Documentation
- Customer Support Resources
Cisco Support Access
- Cisco Support Access to your Organization
- Enable Cisco Support Access

Activity Onboard

Integrate an Identity Provider Troubleshooting SAML errors

Last updated: Jul 16, 2025

Troubleshooting SAML errors

If you get an HTTP 400 error when testing your IdP integration, try the following troubleshooting steps.

Check that the user's sign-on email domain matches the claimed domain: Ensure the email domain of the user account you're using to test matches your claimed domain.
For instance, if you claimed a top-level domain, such as example.com, then users must sign in with <username>@example.com and not <username>@signon.example.com.

Check that the user is signing in through their identity provider: Users must authenticate through the integrated identity provider. An HTTP 400 error is returned if a user signs in using the Cisco or Microsoft social sign-in options or attempts to sign in directly through Okta.

Check that the <NameID> element in the SAML response is an email address: The value of the <NameId> element in the SAML response must be an email address. The email address must match the email specified in the user's SAML attributes. See SAML Response Requirements for details.

Check that the SAML response contains the correct attribute claims: The SAML response from your IdP to Security Cloud Sign On includes the required user attributes: firstName, lastName, and email. See SAML Response Requirements for details.

Check that the SAML response from your IdP is signed with SHA-256: SAML response from your identity provider must be signed with the SHA-256 signature algorithm. Security Cloud Sign On rejects assertions that are unsigned or signed with another algorithm.

Previous topic Step 5: Activate the integration Next topic Role-Based Access Control (RBAC)