Enabling SSO on dashboard - clarifying questions

Aaron_Wilson
A model citizen

Enabling SSO on dashboard - clarifying questions

I am looking at enabling SSO, but I wanted to clear up a few things. Everything is well documented except for the actual user experience.

 

Question 1: Can someone clarify the user experience flow for SSO enabled orgs?

 

Current:

  1. User enters email into dashboard.meraki.com, clicks next
  2. User enters password, clicks next
  3. User prompted to select org, pick the org
  4. User taken to org

 

SSO enabled:

  1. User enters email into dashboard.meraki.com, clicks next
  2. Redirected to IdP process???
  3. ???
  4. ???

 

 

Question 2: How are multiple orgs handled if some have SSO and some don't?

 

The part I am confused about is with Meraki you do not claim a domain (org such as @Acme.com). If joe@acme.com is an admin on a few orgs, some of which have SSO and some don't, how does the dashboard process know to invoke SSO or not?

 

Other sites, like Cisco's Webex or Microsoft's O365, you actually claim "acme.com" as a company/org, so that anytime someone enters an @Acme.com email it will redirect to their respective IdP for authentication and authorization.

 

In the case of Meraki, you are setting SSO parameters at the org level. Wouldn't it be possible to have multiple email domains within a specific org, and if so, how does that bubble up?

 

Note, I am not a MSP but instead a customer. However, we might have a few orgs where we do not want SSO. We have also had access to other orgs without SSO, such as a company acquisition or joint venture type of scenario.

 

Thanks in advance!

 

 

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

If you are using Cisco SecureX (free), you are about right.  You go to the Meraki Dashboard like normal and log in and get redirected to Cisco SecureX.

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Cisco_SecureX_Sign... 

 

If you are using any other Idp (like Azure, Duo, etc) you go to the Idp's portal (by this stage you are already logged in), and click on the "Meraki Dashboard" icon.  You then get logged into Meraki using SSO.

You are not able to log in via the Meraki Dashboard.

Aaron_Wilson
A model citizen

Woah, wait, what? You have to go into the IdP portal to get logged in? O_o

 

Azure would be the use case.

 

Does that mean you could still log into the normal dashboard to non-SSO orgs using the same email address? I guess that is a positive....but wow.....

PhilipDAth
Kind of a big deal
Kind of a big deal

Of all the Idps - Azure is the worst.  Its portal has no administrative control.  So you create the "Enterprise App".  Once that is done, any user can add it to their user portal.  Of course, you can still apply restrictions in Azure to prevent them from using it.

 

>Does that mean you could still log into the normal dashboard to non-SSO orgs using the same email address?

 

Yes.

 

Also note a painful restriction; you can not authenticate to a Meraki org using an email address that is already setup in the Meraki org.  It blocks it saying that is a local user.  It's dumb.

So when using Azure, I usually change it to authenticate to Meraki using sAMAccountName instead of email address.

 

 

Cisco SecureX does allow you to back end into Azure.  I haven't tried it myself, but it is likely to deliver a better experience.

https://www.cisco.com/c/en/us/td/docs/security/secure-sign-on/sso-quick-start-guide/sso-qsg-whats-ne... 

 

 

Dartanian14
Comes here often

Don't set SSO up with Azure, for one it's trash and you have to use the browser extension. And two, we did this other day and got through it all only to realize this, remove it and now I can't get into the dashboard at all. Even after having my counterpart totally remove me and reinvite me all I get are "server error encountered" when trying to set up access. Real garbage heap.

Aaron_Wilson
A model citizen

Thanks for the insight!

 

One additional question. Has anyone deployed SSO but left the existing accounts as non-SSO, while new users/accounts were SSO enabled?

 

If enabling SSO for an org but leaving all of the existing accounts as non-SSO, this might be a compromise.

watdee
Getting noticed

@Aaron_Wilson I'm pretty sure that should work fine at least with the Azure set up, it worked for me.

watdee
Getting noticed

@Dartanian14 What browser extension?  I currently have to go through the O365 portal to login.  Meraki should enable SAML on their own login page like most other SAML integrated apps I've set up.

PhilipDAth
Kind of a big deal
Kind of a big deal

I just tried Cisco SecureX backed into Azure AD and the process works well enough.

 

One MAJOR downside; you can not convert an existing Meraki login to being a Cisco SecureX login.  It had to be a brand new Administrator.

I tried to delete myself from a test Org and re-adding - but it requires that you are deleted from EVERY org before you can re-add the user as a Cisco SecureX user.

Get notified when there are additional replies to this discussion.