topic Re: IdP Initiated SAML SSO for Meraki Dashboard in Cloud Networking Platform

IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Mon, 15 Jul 2024 18:09:55 GMT

Lately, SSO login for Meraki Dashboard has been a huge nuisance for me, as I'm getting access to more and more customer organisations that use SAML SSO in their organizations.

If unsuccessful in convincing their IT teams to add me directly as a local admin to their Org, I have to go through having my account created in their Azure tenant.

Which by all means is probably also the correct way, IT security wise.

But as an MSP with access to many customers, SSO is a PITA. Many customers followed the guides on the Meraki Documentation on how to setup SSO for their org in Meraki, but this has also resulted in many organisations' lack of consideration of the different SAML attributes in Azure.

An easy fix would be to set the username attribute to something else than userprincipalname, which for some reason equates to their email address. In my tests, using employeeid is usually the best alternative, since chances are that this is more unique between customers and organisations, and especially for external consultants like myself.

I'm curious as to how others handle SAML SSO from an MSP stand of view? Do you also spend days during first time onboarding in just trying to get access, by having to make the customer reconfigure their Dashboard App, which by all means works for them?

What are you tips&tricks for when setting up SAML SSO? Or is there a simple Meraki setting that I'm just not aware of, that will fix everything, without having to touch their Azure tenant?

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Mon, 15 Jul 2024 18:17:45 GMT

And well, this also goes to SP-initiated SAML SSO.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Mon, 15 Jul 2024 18:23:01 GMT

The SAML SSO configuration guide, clearly states that one should set the username attribute to email, but also clearly warns against it.

This really messes things up for MSPs and those of us who are external consultants.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Mon, 15 Jul 2024 20:54:54 GMT

Do you know the dashboard can support multiple SAML providers at the same time?

You should add your Idp to customers that you manage, so you can log in with the username in your tennancy.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Mon, 15 Jul 2024 20:56:27 GMT

I've never done a SAML deployment where I used the email address. It just doesn't work in practice. I usually make it "user.displayname".

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 05:24:36 GMT

Yes, but I tend to prefer not to do any major changes to customers dashboards, just in order to give me access.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 05:37:45 GMT

A minimal config requires only two fields to be filled in - the "X.509 cert SHA1 fingerprint" and "SSO login URL".

That's the same number of fields to add a local Meraki user ...

I personally like having my own SAML roles (instead of using the Customers), and if you like that too - that is just two more fields, "Role" and "Organization access".

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 06:17:14 GMT

What would be the best course of action then, for an MSP with access to many customers?

If we add our company tenant as IdP to the customers' organizations, we'd need to then set up a Dashboard application per customer. WOuldn't that then result in many different customer apps on the myapp.microsoft.com page?

Or in the case of SP-initiated, they'd have to set a unique subdomain for their SSO login?

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 07:21:58 GMT

Negative. Let me give you the link for SAML configuration for MSPs:
https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard#SAML_SSO_for_MSPs

"SAML does support the use of multiple organizations. Similarly to traditional logins, it needs to determine that the user is identical across the affected organizations. Thus, for this to occur, the following must be identical across the designed organizations:

X.509 cert fingerprint for the organization (case sensitive)
SAML administrator role (as only one role attribute can be used in the token)
- The permissions granted can be different in each Organization, but the role name must be identical

When this occurs, the user will be directed to the MSP portal and receive the desired permissions in each organization. The Consumer URL for any of the MSP organizations can be used, as they will all direct the user to the MSP portal."

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 07:23:52 GMT

When you set it up - you only set it up for your own companies dashboard. However you load the same SHA certificate hash into every customers Meraki Dashboard - and that gets you the access automatically.

Re: IdP Initiated SAML SSO for Meraki Dashboard

JamesT91 — Tue, 16 Jul 2024 07:26:05 GMT

We have a single enterprise app in Entra and then use the same certificate fingerprint configured in all our customer Meraki orgs - this allows IdP initiated login for us as the MSP to all. We have two roles, one for read only and one for full.

The customer can then optionally setup their own alongside this.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 07:33:32 GMT

Another way you could attack this (I have not tested this) would be to get the customer to add your email address to their Entra ID as a guest user. Then grant that guest user access to the Meraki Entra ID app. It should work.

You could make it smoother by having the customer create an Entra ID B2B relationship between their Entra ID tennancy and yours to trust your MFA. This requires your customer to have an Entra ID P1 licence or better.
This would allow you to do seemless sign in to your customers Meraki environment.

But personally, I prefer direct SAML to the dashboard from your environment ...

And more specifically, I prefer Cisco Duo as the SAML Idp because it is so much easier to setup and manage ...

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 07:51:55 GMT

So by using the same SHA certificiate (thumbprint) across different organizations, we'd be able to get the same Dashboard experience with a Organization Dropdown, and switch between organizations?

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 07:55:29 GMT

Having the customer adding med as a Guest User in their tenant, is usually where it goes badly. I'm added with my company email as a guest to the customers tenant, and as my email is already known as local account on many other customers organizations, I end up getting redirected to the Meraki "true" page with a SAML login failure in the dashboard logs.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 08:08:59 GMT

Same SHA certificate thumbprint and SAML role name. Correct.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 08:41:24 GMT

When I set up the Dashboard App in Azure, the identifier (Entity ID) needs to be my SSO url <subdomain>.sso.meraki.com.

If use the generic URL, SSO fails with the error that the identifier was not found.

The identifier (and Sign-on URL) are configured in Azure on a per organization basis, as I see it. So to have multiple organizations, I'd end up with many different dashboard applications in Azure. Unless I'm misunderstanding something?

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 08:47:22 GMT

Don't use a sub-domain (so you are doing Idp initiated login).

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 09:14:29 GMT

This is what the SAML configuration looks like for one of our clients.

Re: IdP Initiated SAML SSO for Meraki Dashboard

Rasmus Hoffmann Birkelund — Tue, 16 Jul 2024 09:21:10 GMT

Okay. So I add the same SHA thumbprint to another lab dashboard that I have. The consumer url on this Org is different to that of my first Org. In the Dashbord Application on Azure it still referes to the Consumer URL of the first Org. Where should I then reference the Consumer URL for the second org?

Re: IdP Initiated SAML SSO for Meraki Dashboard

Philip D'Ath — Tue, 16 Jul 2024 09:23:11 GMT

> Where should I then reference the Consumer URL for the second org?

You don't. It is unused. As soon as you have two configured it then takes you to the MSP portal.

I just onboarded another brand new org. On the Meraki Dashboard org settings side, it just needed the config below. Onboarding is super simple!