> Where should I then reference the Consumer URL for the second org?

You don't. It is unused. As soon as you have two configured it then takes you to the MSP portal.

I just onboarded another brand new org. On the Meraki Dashboard org settings side, it just needed the config below. Onboarding is super simple!

One thing I will mention - if you are onboarding a new org on a different shard there seems to be a delay before it appears in your MSP portal. Maybe a 5-minute wait.

Once you have enough orgs onboarded, it is near instant.

Aha! Interesting. I'm now getting both orgs with the SAML SSO.

I think I've read through the SAML SSO guides on Meraki Docs hundreds of times, but I think these few details were really missing.

Perfect. So you see how simple that is to onboard a new customer?

Put in your certificate hash, your SAML role name, finished.

Yes, it is simple and I see that we will still get the "easy" switching between organizations. Although, instead of simply browsing to dashboard.meraki.com, we'd now have to jump in through myapplications.meraki.com, and from there jump into the dashboard.

However, it still creates those issues where one has a local login somewhere in Meraki, which conflicts with SAML SSO.

E.g. my lab at home is a CMNA kit (from when you could get a full stack) with a couple other devices I scoured up over the years. This is an organization I'd prefer not having ties to my employers AD, however I still use my company email on it, to switch back and forth between lab networks and customers when needing to do changes.

Addtionally, SAML users can not create API Keys, so we'll have to add a local user to their dashboard anyway if needing to use Meraki API. Then from my perspective, I'd expect to run into the same troubles, since the API user cannot be a SAML user, but must a local user, and theres a match on the email address.

But I suppose, this is where user.displayname as the username attribute, comes into play?

>Although, instead of simply browsing to dashboard.meraki.com

I mostly live in my web browser. For me it is about three clicks. From webmail I click on the 9 dots in the top left hand corner, type "me" which brings up "Meraki Dashboard", and then click on it. Pretty quick to get in huh?

>still creates those issues where one has a local login somewhere in Meraki, which conflicts with SAML SSO

On every SAML deployment I have done (and I have done a few) I always change the username attribute to user.displayname. Problem solved.

>Addtionally, SAML users can not create API Key

Yet... Watch this space.

You should be able to copy the link of the application from the myapps page, add this to your bookmarks toolbar and then you're only a button press away from logging in 😊

We have a single enterprise app in Entra and then use the same certificate fingerprint configured in all our customer Meraki orgs - this allows IdP initiated login for us as the MSP to all. We have two roles, one for read only and one for full.

The customer can then optionally setup their own alongside this.

Having the customer adding med as a Guest User in their tenant, is usually where it goes badly. I'm added with my company email as a guest to the customers tenant, and as my email is already known as local account on many other customers organizations, I end up getting redirected to the Meraki "true" page with a SAML login failure in the dashboard logs.