I've been trying to configure SAML for management login and followed Configuring SAML SSO with Azure AD - Cisco Meraki
Going to dashboard.meraki.com just goes to the logon page and SSO never initiates.
When I click Test from Azure it logs me in fine.
There are no options in Meraki Dashboard to add the Login URL, Azure AD Identifier or Logout URL from Azure.
Is anyone able to tell me what I'm missing here?
Thanks.
Solved! Go to solution.
The issue is this statement in the document…
You can’t do a SAML login from the Service Provider (I.e. the Dashboard). You need to login through the identity provider (IdP) and it should then redirect you to the Dashboard and pass the SAML token in the process.
The issue is this statement in the document…
You can’t do a SAML login from the Service Provider (I.e. the Dashboard). You need to login through the identity provider (IdP) and it should then redirect you to the Dashboard and pass the SAML token in the process.
Thanks @Bruce - is that the URL that Azure gives?
When I try that I get this:
Sorry, but we’re having trouble signing you in.
I have found the full URL that Azure uses but as yet have been unable to turn this into a useable seamless link.
Thanks for the help anyway.
You have to separately configure Service Provider-initiated SAML to do SSO from the dashboard, see https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/SP-Initiated_SAML_...
Thanks - I will check this out when I get some time and report back.
I setup 2 dashboards one works perfectly, and the other one goes through the redirect process then Just lands on the Meraki page with a dialog that says "TRUE" and never goes to the dashboard, Test from the Azure portal are all Green. Thoughts or suggestions?
I ran into this issue today. It turns out that any account that tries to use SAML/SSO access to Meraki dashboard cannot have the same email address (username) as an already existing Meraki dashboard account.
As soon as I configured a different administrative account in Azure for write access to Meraki dashboard, that account was able to progress through the SSO process and get deposited in the dashboard without landing on the "true" page.
Thanks @Aaron_Kennedy , just tried this and it worked when using the direct link but it still doesn't work from the dashboard as @Bruce stated.
I can't really see the benefit of it until it does work from the dashboard.
Has anyone been able to get the SP-Initiated SAML SSO to work? I can get the test to work and then went through the guide to add SP-Initiated. I go to the url for my subdomain and select SSO and get directed to my AAD login, complete the login but then get an error that my application identifier was not found in the directory.
Any ideas?
Looks like nothing has changed since @Bruce posted the solution here. Just tried this morning and still can't do it from SP.
I also had some issues with SP when I tried to set it up. I was able to get IdP working easily, but the SP process was still broken (and some necessary configuration elements were missing from Organization-->Settings in the dashboard).
But then I found a toggle button in the Organization-->Early Access section of dashboard where I could turn on SAML SSO. After flipping that toggle button, the required configuration options showed up in the dashboard settings and I could complete the SP setup process and get it working properly.
This was really useful - I had all of the same problems and got it working.
A couple of sticking points - I finally found the User access URL for ldP initiated access under Meraki Dashboard App > Properties. That worked fine.
After enabling SP-initiated SAML, I got the same message as @C3SGInc (Application with identifier xxxx not found in directory) - I had to add an additional Identifier under Meraki Dashboard App > Single sign-on > Basic SAML Config specifying https://[organisation].sso.meraki.com. After that, it worked.
Otherwise, I followed the KB articles and advice in this post and got there in the end. Thanks.
As @CHTL-User mentions...
Updating the Identifier (Entity ID) for the Meraki App in Entra ID from the default value of https://dashboard.meraki.com to https://[organisation].sso.meraki.com
resolved SP-Initiated access for me. Thanks!!!
Is the [organisation] the same as the name from the Organization Settings/Name in the Meraki Dashboard? If so, how is it handle spaces?
@C3SGInc - No, actually the value is the same as what is defined in Meraki Dashboard under Organization/Settings/Authentication/SSO Subdomain.
Screenshots below for reference:
Meraki screenshot:
Entra ID screenshot:
Perfect and thank you for taking the time to include the screenshots.