Could you explain that a little more please @Mloraditch ?

What do you mean when you say you leave your subdomains blank?

See below, I'm referring to the SSO Subdomain field

Ahh I see what you mean now, but that raises even more questions...

So simply remove the subdomain?

What URL would we use then to login to the dashboard?

When logging into Vision Portal I assume we would still click on "Log in with SAML SSO"? But then isa asks for subdomain.

What subdomain would we enter in the app?

I really appreciate you taking your time to assist 

You can initiate from  here https://myapps.microsoft.com. as long as you have the Enterprise app visible to your users.

I don't use cameras at all so I can't answer regarding the Vision portal. @PhilipDAth may be able to help when he's next online (it's already the weekend in NZ). He's done a lot of SSO and helped a number of others on threads through the years.

Thanks @Mloraditch 

Its weekend here in 30mins too 😀

Hopefully Philip may be able to guide me.

Its annoying that I cant find any official Meraki documentation outlining how to achieve this.

And to save yourself having to go via MyApps first, you can right-click>copy link on the app and then add that URL as your bookmark 😊

Hi Philip,

Yes, they are two separate Azure organizations.

I have one SAML login in Org A, that same account is guested in to Org B's organization

I do not believe this approach will work.

Fundamentally, an Entra account is only authenticated in one tenancy.  The one where it was created.  When you add it as a guest to another tenancy, that tenancy does not authenticate the guest user itself; it relies on that authentication being forwarded from the tenancy where the user is actually hosted.

The Meraki Dashboard cannot ask the Entra tenant associated with your guest account to authenticate you.  Only the source tenant can do that.

A better solution would be to add your Entra to their Meraki Dashboard.  To do this is as simple as copying that SHA1 fingerprint from your existing dashboard to their dashboard, like this (this tenant has three SAML authentication sources!).

And then add the SAML roles you use to their system.  I tend to do a lot of SAML work in general, so I tend to name my roles:

<Company>-<App>-<Role>

In the example below, IFM is the MSP. This role is intended to authenticate access to the Meraki Dashboard, and this is intended to provide Administrator access.  This makes it very clear to anyone looking at the logs which company accessed their system, and who it was.

Also, if you are using Entra, use the "mysigns" style to access the Meraki Dashboard.  This is the most powerful way to gain access (and very quick, just two mouse clicks).

Thanks Philip, Will give it a go.