Employee termination/VPN Access

Brad2
New here

Employee termination/VPN Access

Is there a way to remove an MSP technicians VPN access to our customers networks all at once or

do we need to disable his account for each company?

I would really appreciate any advice or tips.

 

Thank you

3 REPLIES 3
Mr_IT_Guy
A model citizen

If you are not using SAML, I believe you have to delete the admin in each organization in your MSP portal. Could be a bit time consuming if you're looking at 100s of organizations.

 

SAML is the best way to handle this. You can easily add/remove users with various permission levels based on group membership. Here's Meraki's support documentation on SAML integration: Configuring SAML Single Sign-on for Dashboard 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Nick
Head in the Cloud

Sorry to thread hijack!

I've been looking at implementing this - you would then need to do this per Organisation.

Any useful information or pointers before I begin down this road? Is the setup reasonably easy?
Mr_IT_Guy
A model citizen

Hi @Nick ,

 

The setup is reasonably easy. One thing to keep in mind is that if you are using your work email address to access the dashboard and also intend to use it in SAML, you will have to do one or the other. One way to do it is using a service account not attached to SAML and have all admins in the SAML group.

 

A couple pointers from the documentation:

  • Limited Single Logout (SLO) is available. Dashboard will use the SLO URL to redirect users after they logout of Dashboard, and then can be used to link into SLO with the IdP if supported, but Dashboard does not support receiving SAML LogoutRequests from the IdP.
  • Only SAML 2.0 is supported.
  • Dashboard only supports IdP-Init. Users must first authenticate with the IdP and then be passed to Dashboard with a valid token.
  • While IdP platforms may have a variety of other fields, in most cases they can be left blank or at default settings. Only the above information is critical for Dashboard compatibility.

SAML SSO for MSPs

SAML does support the use of multiple organizations. Similarly to traditional logins, it needs to determine that the user is identical across the affected organizations. Thus, for this to occur, the following must be identical across the designed organizations:

  • X.509 cert fingerprint for the organization
  • SAML administrator role (as only one role attribute can be used in the token)
    • The permissions granted can be different in each Organization, but the role name must be identical

When this occurs, the user will be directed to the MSP portal and receive the desired permissions in each organization. The Consumer URL for any of the MSP organizations can be used, as they will all direct the user to the MSP portal.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.