topic Re: Dashboard SSO - AzureAD & External Guest Users in Cloud Networking Platform

Dashboard SSO - AzureAD & External Guest Users

Christian_S — Thu, 09 May 2024 18:03:19 GMT

We are running into an issue where some of our guest users (vendors) can't access our tenant via SSO. SSO works flawless for a handful of our vendors that do not use AzureAD and their guest accounts show up as username#EXT#@domain.onmicrosoft.com in the SAML sign in logs. However, the accounts that do have Microsoft accounts and use Meraki at their company, show up as their normal username@domain.com address and will get the login error of "Found existing non-saml user with email username@domain.com". Even though they are not an admin in my tenant, I assume that error is somehow seeing their email in their tenant.

What can I change in my SAML config in Azure Apps to prevent this from happening? Setting the user up as a non-saml administrator is not an option in this case.

Current configuration:

Re: Dashboard SSO - AzureAD & External Guest Users

aleabrahao — Thu, 09 May 2024 18:10:49 GMT

Here you can find some possible solutions.

single sign on - How to configuring Azure AD sso to allow guest logins - Stack Overflow

Customize SAML token claims - Microsoft identity platform | Microsoft Learn

Re: Dashboard SSO - AzureAD & External Guest Users

Christian_S — Thu, 09 May 2024 18:14:35 GMT

I appreciate the quick response. The first link doesn't help as we already have guest users who CAN sign in. The issue is specific to a certain type of user as mentioned above.

I am currently reviewing the second documentation.

Re: Dashboard SSO - AzureAD & External Guest Users

Philip D'Ath — Thu, 09 May 2024 20:26:17 GMT

This is a very common issue. I tend to fix it by changing the "username" attribute to "user.displayname".

Re: Dashboard SSO - AzureAD & External Guest Users

matt_uc — Thu, 09 May 2024 20:27:32 GMT

You can't have a SAML user where their email is the same as an email account being used on the Meraki Dashboard, it is not supported.

Re: Dashboard SSO - AzureAD & External Guest Users

Christian_S — Thu, 09 May 2024 20:27:45 GMT

Oo! Let me give that a shot and I will report back. Thank you!

Re: Dashboard SSO - AzureAD & External Guest Users

Christian_S — Thu, 09 May 2024 20:29:02 GMT

Which is why I am asking here on how to overcome that.

Re: Dashboard SSO - AzureAD & External Guest Users

Christian_S — Thu, 09 May 2024 21:40:11 GMT

This did it!!! We now have our external guest users who have non-saml accounts in other meraki tenants able to sign in!

Thank you!!!

Re: Dashboard SSO - AzureAD & External Guest Users

VyankateshBollu18163 — Wed, 15 May 2024 15:40:46 GMT

Hi Philip/Meraki Team,

I configured SAML SSO configuration on Meraki dashboard as per provided document after enter Azure AD credentials we are getting Java Scirpte page(html page)

Re: Dashboard SSO - AzureAD & External Guest Users

Philip D'Ath — Wed, 15 May 2024 19:02:22 GMT

From memory, this happens when the SAML roles are not correctly mapped to Meraki roles.

Go to Organization/Administrators/SAML Login History. Look for an error there.