Dashboard SSO - AzureAD & External Guest Users

Solved
Christian_S
Here to help

Dashboard SSO - AzureAD & External Guest Users

We are running into an issue where some of our guest users (vendors) can't access our tenant via SSO. SSO works flawless for a handful of our vendors that do not use AzureAD and their guest accounts show up as username#EXT#@domain.onmicrosoft.com in the SAML sign in logs. However, the accounts that do have Microsoft accounts and use Meraki at their company, show up as their normal username@domain.com  address and will get the login error of "Found existing non-saml user with email username@domain.com". Even though they are not an admin in my tenant, I assume that error is somehow seeing their email in their tenant. 

What can I change in my SAML config in Azure Apps to prevent this from happening? Setting the user up as a non-saml administrator is not an option in this case. 

Current configuration:

Christian_S_0-1715278018179.png

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

Here you can find some possible solutions.


single sign on - How to configuring Azure AD sso to allow guest logins - Stack Overflow

Customize SAML token claims - Microsoft identity platform | Microsoft Learn

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Christian_S
Here to help

I appreciate the quick response. The first link doesn't help as we already have guest users who CAN sign in. The issue is specific to a certain type of user as mentioned above. 

I am currently reviewing the second documentation. 

PhilipDAth
Kind of a big deal
Kind of a big deal

This is a very common issue.  I tend to fix it by changing the "username" attribute to "user.displayname".

 

PhilipDAth_0-1715286358038.png

 

Christian_S
Here to help

Oo! Let me give that a shot and I will report back. Thank you!

Christian_S
Here to help

This did it!!! We now have our external guest users who have non-saml accounts in other meraki tenants able to sign in!

Thank you!!!

mlefebvre
Building a reputation

You can't have a SAML user where their email is the same as an email account being used on the Meraki Dashboard, it is not supported.

Christian_S
Here to help

Which is why I am asking here on how to overcome that.

Network3
New here

Hi Philip/Meraki Team,

I configured SAML SSO configuration on Meraki dashboard as per provided document after enter Azure AD credentials we are getting Java Scirpte page(html page) 

PhilipDAth
Kind of a big deal
Kind of a big deal

From memory, this happens when the SAML roles are not correctly mapped to Meraki roles.

 

Go to Organization/Administrators/SAML Login History.  Look for an error there.

PhilipDAth_0-1715799735150.png

 

Get notified when there are additional replies to this discussion.