It seems like the Meraki SSO/SAML integration has been half baked since it was introduced. SSO/SAML is supposed to simplify things, but having it enabled is causing more work than without it.
These are a few issues that I have noticed so far in with SSO/SAML enabled and found multiple threads all the way back from 2017 mentioning these issues. It doesn't look like the SSO/SAML integration has improved since.
-Can't login to Client VPN with the same email as an SSO user
-No SSO login for the Mobile app
-No ability to login with more than one SSO admin role via the Okta integration
-No list of SAML users in the Administrator page
This is a shame as I was excited to introduce SSO/SAML login for our Meraki users, but will need to roll back and remove SSO/SAML due to these limitations.
Client VPN users cant use the same email account as their SSO/SAML email account to use VPN.
When I enabled SSO, I had to remove all of the admins that had username/password logins, this also removed their Client VPN profiles. Now I am being told by Meraki support that SSO/SAML users cant use the Client VPN with the same SSO/SAML email accounts. So we essentially need to create dummy email accounts for VPN access? That seems a bit silly.
From Meraki Support:
"You will need to use a different username/email and password for client VPN. You cannot use the SAML username/email for client VPN since the SAML account should be unique. This is why when you add the SAML username/email to the client VPN it gets deleted from the list."
Okta integration only allows a single role to log in, so essentially any user that has been assigned to the Meraki Dashboards SAML app will log in as an administrator with no way of determining which user receives which role.
Instead of working like most integrations where you can determine what role a user receives, the Meraki Okta integration only allows logging into one specific role. If you want to add additional roles, you need to create another instance of the integration with a brand new certificate, this makes having the integration pointless.
A Senior Technical Engineer from Okta responded in 2017 to this limitation/issue "Only one SAML administrator role can be sent through the OIN app as it's currently configured. I actually brought this up to Meraki support just last week and I believe it has been relayed to their apps team for review."
Meraki Mobile app doesn't have SSO/SAML login option.
Our team opened a ticket about this in October 2018, SSO/SAML login via the mobile app is still not an option.
"The Meraki mobile app on both Android and iOS does not support SAML/SSO, making it effectively unusable in our environment because our operators need access to it. In addition, if you are a user enabled for SAML, you can't also authenticate via username/password, which would at least allow us to use SAML on the web, and only a username/password in the mobile app. However, it would be preferable if the mobile app just supported SAML too."
You cant see a list of the SSO/SAML users in the administrator dashboard, it just shows the roles.
You can see the different SAML Administrator roles and see who logged in via SAML on the SAML Login History button, but there is no list of SAML users like there is for normal username/password users.
It's a shame that Meraki hasn't made improvements on the SSO/SAML end. I was really looking forward to enabling it for our users.
>-Can't login to Client VPN with the same email as an SSO user
This will never work. The Microsoft client vpn built into Windows does not support modern authentication. Nothing Meraki can do about this (except release AnyConnect which can support SAML ...).
>-No SSO login for the Mobile app
I here you on this one. Late last year Meraki assigned more resource to the mobile app. I don't know who to tag on this one - but it would be good to get this team working on SAML support.
>-No ability to login with more than one SSO admin role via the Okta integration
I have not used Okta. The SAML provider pushes the role, so this sounds like an Okta limitation. Nothing Meraki can do about that.
>-No list of SAML users in the Administrator page?
The SAML provider doesn't expose all potential users. It only exposes the current person trying to log in. So this will never be possible.
I also think that it should be this way. The authentication provider is the only thing that needs to know about all the user accounts. The spread of this information should be minimised for security and privacy reasons.
Hi Philip,
Thanks for your responses.
>-Can't login to Client VPN with the same email as an SSO user
I am using a MacBook with the Client VPN. Its pretty disappointing that I have to use a dummy email account and not the one I use to login to Meraki with if I want to use the Client VPN.
>-No SSO login for the Mobile app
Definitely a bummer, its been almost 2 years since we requested SSO/SAML login via the Mobile app and it still isnt a feature.
>-No ability to login with more than one SSO admin role via the Okta integration
Okta support has told me that this is a limitation on Meraki's side, not on Okta's side.
>-No list of SAML users in the Administrator page?
I administer many online apps/services that use SSO/SAML to login and pretty much every service I use has a list of users and permissions. Not sure why Its any different on Meraki's interface.
Just been through this exercise with SAML and roles. The issue in not with Okta. Meraki implementation is very lacking.
To make this work, you effectively need a role for every unique combination of Orgs and Networks. In our case that's nearly every user.
Local admins, you can specify Org (None/RO/Full) + any combination of networks. SAML you can only provide a single Role that defines a fixed Org+Networks.
We have several 100 sites (networks) with local administrators. Many support multiple sites. That would equate to several 100 roles.
At the moment we can only provide SAML to Global Org admins, due to this limitation.
It's simple to fix. Meraki just needs to Split the Role attribute in to Org, TargetsRO and TargetsRW (Multivalue) which can be populated with values (Group names)
This is basically how other vendors impliment it.
Either that they just bin the SAML Role and use the local Administrators permissions, so users can log in via local auth or SAML.
I have another Problem with SAML! If we change the certificate, the Fingerprintkey is not automatically updated, so i have to change the Key on every single Organization!
I too implemented SAML/SSO with AzureAD for my company many moons ago in order to fulfil audit tracing of activities more that anything else. One of the bug bears i have is that I had to specify the Dashboard Node that my logins happen against, NXXX, and for whatever reason, that particular node is somewhat slow to update!
I would love if they would have another stab at SSO and SAML
Good to know. Thank you.