Meraki

Community

Dashboard SSO - AzureAD & External Guest Users

Solved
Christian_S
Here to help
‎May 9 2024 11:03 AM
‎May 9 2024 11:03 AM

Dashboard SSO - AzureAD & External Guest Users

We are running into an issue where some of our guest users (vendors) can't access our tenant via SSO. SSO works flawless for a handful of our vendors that do not use AzureAD and their guest accounts show up as username#EXT#@domain.onmicrosoft.com in the SAML sign in logs. However, the accounts that do have Microsoft accounts and use Meraki at their company, show up as their normal username@domain.com  address and will get the login error of "Found existing non-saml user with email username@domain.com". Even though they are not an admin in my tenant, I assume that error is somehow seeing their email in their tenant. 

What can I change in my SAML config in Azure Apps to prevent this from happening? Setting the user up as a non-saml administrator is not an option in this case. 

Current configuration:

Christian_S_0-1715278018179.png

 

 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2024 1:26 PM
‎May 9 2024 1:26 PM

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2024 11:10 AM
‎May 9 2024 11:10 AM

Here you can find some possible solutions.


single sign on - How to configuring Azure AD sso to allow guest logins - Stack Overflow

Customize SAML token claims - Microsoft identity platform | Microsoft Learn

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Christian_S
Here to help
‎May 9 2024 11:14 AM
‎May 9 2024 11:14 AM

I appreciate the quick response. The first link doesn't help as we already have guest users who CAN sign in. The issue is specific to a certain type of user as mentioned above. 

I am currently reviewing the second documentation. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2024 1:26 PM
‎May 9 2024 1:26 PM

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

In response to PhilipDAth
Christian_S
Here to help
‎May 9 2024 1:27 PM
‎May 9 2024 1:27 PM

Oo! Let me give that a shot and I will report back. Thank you!

In response to PhilipDAth
Christian_S
Here to help
‎May 9 2024 2:40 PM
‎May 9 2024 2:40 PM

This did it!!! We now have our external guest users who have non-saml accounts in other meraki tenants able to sign in!

Thank you!!!

mlefebvre
Building a reputation
‎May 9 2024 1:27 PM
‎May 9 2024 1:27 PM

You can't have a SAML user where their email is the same as an email account being used on the Meraki Dashboard, it is not supported.

0 Kudos
In response to mlefebvre
Christian_S
Here to help
‎May 9 2024 1:29 PM
‎May 9 2024 1:29 PM

Which is why I am asking here on how to overcome that.

0 Kudos
Network3
New here
‎May 15 2024 8:40 AM
‎May 15 2024 8:40 AM

Hi Philip/Meraki Team,

I configured SAML SSO configuration on Meraki dashboard as per provided document after enter Azure AD credentials we are getting Java Scirpte page(html page) 

0 Kudos
In response to Network3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2024 12:02 PM
‎May 15 2024 12:02 PM

From memory, this happens when the SAML roles are not correctly mapped to Meraki roles.

 

Go to Organization/Administrators/SAML Login History.  Look for an error there.

PhilipDAth_0-1715799735150.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.