It seems like the Meraki SSO/SAML integration has been half baked since it was introduced. SSO/SAML is supposed to simplify things, but having it enabled is causing more work than without it.
These are a few issues that I have noticed so far in with SSO/SAML enabled and found multiple threads all the way back from 2017 mentioning these issues. It doesn't look like the SSO/SAML integration has improved since.
-Can't login to Client VPN with the same email as an SSO user
-No SSO login for the Mobile app
-No ability to login with more than one SSO admin role via the Okta integration
-No list of SAML users in the Administrator page
This is a shame as I was excited to introduce SSO/SAML login for our Meraki users, but will need to roll back and remove SSO/SAML due to these limitations.
Client VPN users cant use the same email account as their SSO/SAML email account to use VPN.
When I enabled SSO, I had to remove all of the admins that had username/password logins, this also removed their Client VPN profiles. Now I am being told by Meraki support that SSO/SAML users cant use the Client VPN with the same SSO/SAML email accounts. So we essentially need to create dummy email accounts for VPN access? That seems a bit silly.
From Meraki Support:
"You will need to use a different username/email and password for client VPN. You cannot use the SAML username/email for client VPN since the SAML account should be unique. This is why when you add the SAML username/email to the client VPN it gets deleted from the list."
Okta integration only allows a single role to log in, so essentially any user that has been assigned to the Meraki Dashboards SAML app will log in as an administrator with no way of determining which user receives which role.
Instead of working like most integrations where you can determine what role a user receives, the Meraki Okta integration only allows logging into one specific role. If you want to add additional roles, you need to create another instance of the integration with a brand new certificate, this makes having the integration pointless.
A Senior Technical Engineer from Okta responded in 2017 to this limitation/issue "Only one SAML administrator role can be sent through the OIN app as it's currently configured. I actually brought this up to Meraki support just last week and I believe it has been relayed to their apps team for review."
Meraki Mobile app doesn't have SSO/SAML login option.
Our team opened a ticket about this in October 2018, SSO/SAML login via the mobile app is still not an option.
"The Meraki mobile app on both Android and iOS does not support SAML/SSO, making it effectively unusable in our environment because our operators need access to it. In addition, if you are a user enabled for SAML, you can't also authenticate via username/password, which would at least allow us to use SAML on the web, and only a username/password in the mobile app. However, it would be preferable if the mobile app just supported SAML too."
You cant see a list of the SSO/SAML users in the administrator dashboard, it just shows the roles.
You can see the different SAML Administrator roles and see who logged in via SAML on the SAML Login History button, but there is no list of SAML users like there is for normal username/password users.
It's a shame that Meraki hasn't made improvements on the SSO/SAML end. I was really looking forward to enabling it for our users.