Meraki

Community

Meraki Dashboard - Multiple SSO's - Entra ID Issue

Tony_Perkis
New here
yesterday
yesterday

Meraki Dashboard - Multiple SSO's - Entra ID Issue

Looking to see if I can get some assistance from the community on this one.

 

I am looking to migrate some Meraki Dashboard SSO's to Entra ID from our old system to the new system.  I have 2-3 of them.

I have configured quite a few SSO Enterprise Applications in Entra ID, but this one is a bit unique to me since the Entity ID has to be https://dashboard.meraki.com.

 

If I was just doing one site, this would have been configured and completed by now.

Entra ID doesn't allow the Entity ID to be the same value as another one, so they have to be unique even though the ACS is different.  I read that it has to be https://dashboard.meraki.com in order for it to work...for the IdP-initiated.  I know for SP-initiated there's the chance I could use the subdomain SSO option, which I think would work for the uniqueness, such as https://site1.sso.meraki.com / https://site2.sso.meraki.com / https://site3.sso.meraki.com,  but they want to be able to go to https://myapplications.microsoft.com and click the link(s) to log in. I think I read that subdomain SSO was use for the SP-initiated SSO not IdP.

 

For example purposes, these are the three sites I want to migrate.

Site 1:

Entity ID: https://dashboard.meraki.com

ACS: https://dashboard.meraki.com/saml/login/site1

 

Site 2:

Entity ID: https://dashboard.meraki.com

ACS: https://dashboard.meraki.com/saml/login/site2

 

Site 3:

Entity ID: https://dashboard.meraki.com

ACS: https://dashboard.meraki.com/saml/login/site3

 

What would you recommend would be the best course of action to complete this?

0 Kudos
3 Replies 3
Ryan_Miles
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
yesterday
yesterday

Unfortunately my Entra lab is no longer functional because I'm stuck in some weird loop of MSFT killing my tenant and I can't create anything new. But, when I did have it functional I had it doing SSO to my 8 Meraki test labs. I used the SSO subdomain as the entity ID so it was different for each ent app in MSFT. 

 

So lab.sso.meraki.com, lab1.sso.meraki.com, lab2.sso.meraki.com, etc. That definitely worked using the SP login pages. I believe it worked using the IdP sign on flow too. But it's been many months and I cannot recall for sure.

 

Can you set it up like that and test it?

0 Kudos
In response to Ryan_Miles
Tony_Perkis
New here
yesterday
yesterday

I will see if I can do that. I wasn't sure if it was an option from what I read, but I guess it doesn't hurt to try lol.

0 Kudos
MartinLL
A model citizen
yesterday
yesterday

I did something like this a few weeks ago for two orgs i manage.

 

What you can do is to set up SSO for both orgs, install the dashboard enterprise app in entra and reuse the same thumbprint and SSO URLs on both tenants. This links both organizations to the same enterprise app and when you log in you can select which one you want to access just as before.

 

You can also add a sub domain for one of the organizations to enable SP initiated SSO. You just need to add it for one organization. It will work for both.

 

You need to get a bit clever with SAML admin roles tho. All roles need to exist inn all organizations linked to the enterprise app. If not you get a sign in error. The good news is that the roles does not need to map to the same access levels in each organization. You could for example do a ALL_ORG_ADM which maps to full org access in all organizations and do SITE1_ORG_ADM which maps to organization admin in site1, but to a dummy network with just read access in Site2 and Site3 organizations.

 

@PhilipDAth has a brilliant post about it in this thread

MLL
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.