Meraki

Community

Converting Local Administrators to SSO/SAML account Administrators

pematthe
Here to help
yesterday
yesterday

Converting Local Administrators to SSO/SAML account Administrators

We are trying to transition our local account users to M365 (EntraID) SSO SAML accounts.  The set up is easy enough can I cannot find clear answers to a couple of questions.

 

  1. I assume that it is not possible to transfer an existing user's account to SSO/SAML?  As the login URL is different so it is either One or the Other or leave both accounts active?  To do a full transition, the local account should be deleted - is that correct?
  2. API Keys.  As per the documentation, API keys cannot be created by SAML users.  What have others do for a solution to this?
    1. Have a local api-account which everyone with an existing API key now uses
    2. Do not transition these users to SSO?
    3. Get meraki to add API key support for SAML/SSO users.

 

Any additional guidelines other than the stands documents?

Labels:
0 Kudos
2 Replies 2
Mloraditch
Head in the Cloud
yesterday
yesterday

1. Correct a regular dashboard account cannot be turned into a SAML account. It would have to be deleted completely by the user (not just deleted from your orgs) before you send a SAML username value of that email and it work. However you can send a different attribute instead of email (see the solution here for details: https://community.meraki.com/t5/Dashboard-Administration/Setting-up-SAML-for-2-Meraki-tenants-one-Az...)
It's probably easiest to just use an alternate value for the SAML username and once you have things confirmed working, then you just delete the regular accounts from your org.

 

2. We have a dedicated API key account we use, but depending on how you use the api, how much detail you want logged etc, you may want multiple api accounts, but your 1 and 2 are the only current solutions. 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

For (1), if you are using Entra ID, you change the "username" attribute from user.email to something like user.displayName.  Then you can log in using SAML even when there is an existing Meraki account using the email.  I do this for 100% of the SAML configurations I do.

PhilipDAth_0-1737055472413.png

 

(2) We use a dedicated account for an API key that is shared.  I have been playing with the new OAUTH system, and that seems to work ok.  With this you register each of your applications so they are no longer tied to a user.

https://as.meraki.com/login

 

There is more info here about this system.  You need to join the Eary Access group.

https://community.meraki.com/t5/API-Early-Access-Announcements/Now-in-beta-OAuth-App-Registry-build-...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2025 Cisco Systems, Inc.