Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dashboard SSO - AzureAD & External Guest Users

Solved
Christian_S
Here to help
2 weeks ago
2 weeks ago

Dashboard SSO - AzureAD & External Guest Users

We are running into an issue where some of our guest users (vendors) can't access our tenant via SSO. SSO works flawless for a handful of our vendors that do not use AzureAD and their guest accounts show up as username#EXT#@domain.onmicrosoft.com in the SAML sign in logs. However, the accounts that do have Microsoft accounts and use Meraki at their company, show up as their normal username@domain.com  address and will get the login error of "Found existing non-saml user with email username@domain.com". Even though they are not an admin in my tenant, I assume that error is somehow seeing their email in their tenant. 

What can I change in my SAML config in Azure Apps to prevent this from happening? Setting the user up as a non-saml administrator is not an option in this case. 

Current configuration:

Christian_S_0-1715278018179.png

 

 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

View solution in original post

Subscribe
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Here you can find some possible solutions.


single sign on - How to configuring Azure AD sso to allow guest logins - Stack Overflow

Customize SAML token claims - Microsoft identity platform | Microsoft Learn

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Christian_S
Here to help
2 weeks ago
2 weeks ago

I appreciate the quick response. The first link doesn't help as we already have guest users who CAN sign in. The issue is specific to a certain type of user as mentioned above. 

I am currently reviewing the second documentation. 

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

Subscribe
In response to PhilipDAth
Christian_S
Here to help
2 weeks ago
2 weeks ago

Oo! Let me give that a shot and I will report back. Thank you!

Subscribe
In response to PhilipDAth
Christian_S
Here to help
2 weeks ago
2 weeks ago

This did it!!! We now have our external guest users who have non-saml accounts in other meraki tenants able to sign in!

Thank you!!!

Subscribe
mlefebvre
Building a reputation
2 weeks ago
2 weeks ago

You can't have a SAML user where their email is the same as an email account being used on the Meraki Dashboard, it is not supported.

0 Kudos
Subscribe
In response to mlefebvre
Christian_S
Here to help
2 weeks ago
2 weeks ago

Which is why I am asking here on how to overcome that.

0 Kudos
Subscribe
Network3
New here
Wednesday
Wednesday

Hi Philip/Meraki Team,

I configured SAML SSO configuration on Meraki dashboard as per provided document after enter Azure AD credentials we are getting Java Scirpte page(html page) 

0 Kudos
Subscribe
In response to Network3
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

From memory, this happens when the SAML roles are not correctly mapped to Meraki roles.

 

Go to Organization/Administrators/SAML Login History.  Look for an error there.

PhilipDAth_0-1715799735150.png

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.