Hi There,
We are encountering an issue with SAML SSO into the Meraki Dashboard where only the first value of the https://dashboard.meraki.com/saml/attributes/role attribute is being applied, even when multiple roles are present in the SAML assertion.
This happens with both ADFS, which emits multiple <AttributeValue> elements under the same role attribute and Microsoft Entra ID (Azure AD), which can emit one semicolon-separated string (with workarounds), but is also ignored if multiple values are listed individually.
For example, in ADFS, the SAML token includes:
<Attribute Name="https://dashboard.meraki.com/saml/attributes/role">
<AttributeValue>PACA Techs</AttributeValue>
<AttributeValue>SCOM Techs</AttributeValue>
<AttributeValue>SCOM Camera Operators</AttributeValue>
</Attribute>
Only the first role - PACA Techs - is applied. The others are ignored.
This causes problems in our environment where staff are members of multiple school groups and need role-based access to several Meraki networks. We have over 140 school sites, and cannot practically manage this by creating a new combined role for every user’s access pattern.
We believe Meraki is not currently supporting multiple <AttributeValue> elements under a single role attribute, and we are requesting:
1. Confirmation of this limitation.
2. Clarification on whether support for multi-valued SAML role attributes is planned.
3. Guidance on recommended best practices for using Entra ID or ADFS where users need access to multiple roles.
I understand that some work arounds are using the semicolon but with over 140 sites, we would need to custom configure this and isn't practical in our case with over 200 staff that we would need to then manually manage. At the moment, groups are permissions via our HR system and based off RBAC.
Thanks in advance!
