Dashboard SSO with SAML and Azure AD - Consumer URL broken?

Solved
tkovac
Here to help

Dashboard SSO with SAML and Azure AD - Consumer URL broken?

I've been trying to configure SAML for management login and followed Configuring SAML SSO with Azure AD - Cisco Meraki

 

Going to dashboard.meraki.com just goes to the logon page and SSO never initiates.


When I click Test from Azure it logs me in fine.

 

There are no options in Meraki Dashboard to add the Login URL, Azure AD Identifier or Logout URL from Azure.

Is anyone able to tell me what I'm missing here?

 

Thanks.

1 Accepted Solution
Bruce
Kind of a big deal

The issue is this statement in the document…

5D1A2116-47DD-4F17-9686-E474468CD6CB.jpeg

You can’t do a SAML login from the Service Provider (I.e. the Dashboard). You need to login through the identity provider (IdP) and it should then redirect you to the Dashboard and pass the SAML token in the process.

View solution in original post

16 Replies 16
Bruce
Kind of a big deal

The issue is this statement in the document…

5D1A2116-47DD-4F17-9686-E474468CD6CB.jpeg

You can’t do a SAML login from the Service Provider (I.e. the Dashboard). You need to login through the identity provider (IdP) and it should then redirect you to the Dashboard and pass the SAML token in the process.

tkovac
Here to help

Thanks @Bruce - is that the URL that Azure gives? 

When I try that I get this:

 

 

Sorry, but we’re having trouble signing you in.

 
AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.
 
tkovac
Here to help

I have found the full URL that Azure uses but as yet have been unable to turn this into a useable seamless link.

Thanks for the help anyway. 

DaSz
New here

You have to separately configure Service Provider-initiated SAML to do SSO from the dashboard, see https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/SP-Initiated_SAML_...

tkovac
Here to help

Thanks - I will check this out when I get some time and report back. 

Dudleydogg
A model citizen

I setup 2 dashboards one works perfectly, and the other one goes through the redirect process then Just lands on the Meraki page with a dialog that says "TRUE" and never goes to the dashboard,  Test from the Azure portal are all Green.  Thoughts or suggestions?

Aaron_Kennedy
Here to help

I ran into this issue today. It turns out that any account that tries to use SAML/SSO access to Meraki dashboard cannot have the same email address (username) as an already existing Meraki dashboard account.

 

As soon as I configured a different administrative account in Azure for write access to Meraki dashboard, that account was able to progress through the SSO process and get deposited in the dashboard without landing on the "true" page.

tkovac
Here to help

Thanks @Aaron_Kennedy , just tried this and it worked when using the direct link but it still doesn't work from the dashboard as @Bruce stated.

I can't really see the benefit of it until it does work from the dashboard.

C3SGInc
Getting noticed

Has anyone been able to get the SP-Initiated SAML SSO to work?  I can get the test to work and then went through the guide to add SP-Initiated.  I go to the url for my subdomain and select SSO and get directed to my AAD login, complete the login but then get an error that my application identifier was not found in the directory.

 

Any ideas?

tkovac
Here to help

Looks like nothing has changed since @Bruce posted the solution here.  Just tried this morning and still can't do it from SP.

Aaron_Kennedy
Here to help

I also had some issues with SP when I tried to set it up. I was able to get IdP working easily, but the SP process was still broken (and some necessary configuration elements were missing from Organization-->Settings in the dashboard).

 

But then I found a toggle button in the Organization-->Early Access section of dashboard where I could turn on SAML SSO. After flipping that toggle button, the required configuration options showed up in the dashboard settings and I could complete the SP setup process and get it working properly.

CHTL-User
Here to help

This was really useful - I had all of the same problems and got it working.

 

A couple of sticking points - I finally found the User access URL for ldP initiated access under Meraki Dashboard App > Properties. That worked fine.

 

After enabling SP-initiated SAML, I got the same message as @C3SGInc (Application with identifier xxxx not found in directory) - I had to add an additional Identifier under Meraki Dashboard App > Single sign-on > Basic SAML Config specifying https://[organisation].sso.meraki.comAfter that, it worked.

 

Otherwise, I followed the KB articles and advice in this post and got there in the end. Thanks.

jose_franco
Conversationalist

As @CHTL-User mentions...

Updating the Identifier (Entity ID) for the Meraki App in Entra ID from the default value of https://dashboard.meraki.com to https://[organisation].sso.meraki.com 

resolved SP-Initiated access for me. Thanks!!!

C3SGInc
Getting noticed

Is the [organisation] the same as the name from the Organization Settings/Name in the Meraki Dashboard?  If so, how is it handle spaces?

jose_franco
Conversationalist

@C3SGInc - No, actually the value is the same as what is defined in Meraki Dashboard under Organization/Settings/Authentication/SSO Subdomain.

 

Screenshots below for reference:

 

 

Meraki screenshot:

 

jose_franco_1-1718042346036.png

 

Entra ID screenshot:

 

jose_franco_3-1718045422573.png

 

 

C3SGInc
Getting noticed

Perfect and thank you for taking the time to include the screenshots.

Get notified when there are additional replies to this discussion.