Meraki

Community

Meraki Single Sign-On (SSO) integration with Azure AD. Including granular rights assignment.

Solved
AdamSedar
Conversationalist
‎Apr 17 2019 6:36 AM
‎Apr 17 2019 6:36 AM

Meraki Single Sign-On (SSO) integration with Azure AD. Including granular rights assignment.

Hi all.

 

I have recently implemented single sign-on of the Meraki dashboard with Azure AD.

Here is the article I have just written about it;

 

https://www.linkedin.com/pulse/meraki-dashboard-sso-azure-ad-services-microsoft-identity-adam-sedar/...

 

I found a little stumbling block when I first did this work, that I did not include in the article.

Firstly. If you enable group-based claims within Azure AD, you need to be running an up to date version of Microsoft AD connect software.

Only the more recent versions of the software provide the ability to replicate on-premise group names (rather just the GUID) to Azure AD.

This is only required if you want to use on-premise AD groups, to give access to the SSO Meraki portal.

 

Secondly, I found (and tested multiple times) that when the SAML token is sent to Meraki, yes the AD groups are also listed under the role claim.

However, the problem is that all the groups that the user is a member of, are sent.

From what I can tell the Meraki dashboard only reads the first role claim entry, not all of the lines.

 

In the article above, I have documented using Azure RBAC function within the Azure enterprise application, thus you can map an RBAC role (by value) to a group role claim, which enabled the SSO to work.

Also enabling you to give different Meraki rights based on user or group, the same as ADFS.

 

What is nice (in my opinion) is that you don't need to place a non-SAAS service dependency on your Meraki SAAS management.

 

I hope this helps people.

All the best.

Adam.

1 Accepted Solution
In response to PhilipDAth
AdamSedar
Conversationalist
‎Apr 18 2019 1:35 AM
‎Apr 18 2019 1:35 AM

Thanks very much Philip.

 

I found that there seemed to be a functionality gap here and I couldn't find any simple, full guides on how to achieve something which I thought made sense.

 

Regards,

Adam.

View solution in original post

0 Kudos
9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2019 3:05 PM
‎Apr 17 2019 3:05 PM

Well done!  That is impressive!

0 Kudos
In response to PhilipDAth
AdamSedar
Conversationalist
‎Apr 18 2019 1:35 AM
‎Apr 18 2019 1:35 AM

Thanks very much Philip.

 

I found that there seemed to be a functionality gap here and I couldn't find any simple, full guides on how to achieve something which I thought made sense.

 

Regards,

Adam.

0 Kudos
stevebyatt
Meraki Employee
Meraki Employee
‎Apr 17 2019 11:56 PM
‎Apr 17 2019 11:56 PM

Thanks for sharing this Adam. 

In response to stevebyatt
AdamSedar
Conversationalist
‎Apr 18 2019 6:09 AM
‎Apr 18 2019 6:09 AM

No worries Steve. What's the chances of getting something like this documented officially within Meraki, Microsoft Azure's Identity Services become commonplace now. 🙂
0 Kudos
In response to AdamSedar
stevebyatt
Meraki Employee
Meraki Employee
‎Apr 18 2019 6:36 AM
‎Apr 18 2019 6:36 AM

Not sure Adam, but between Paul and I we will try to find out 🙂

0 Kudos
c53e
Conversationalist
‎Jun 24 2020 1:44 AM
‎Jun 24 2020 1:44 AM

No matter what I try to do when editing the JSON I get

 

"Failed to update Meraki Dashboard application. "Error detail: One or more properties contains invalid values.""

 

The JSON now also has more attributes than it used to:

 

  "allowedMemberTypes": [
                "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "xxxxxx-yyyy-ffff-nnnn-jgjgjgjg",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": null
 
 
For some reason this SAML implementation has been a pain in the ass compared to all the other apps we use. 
 
The full JSON looks like this when it throws the error
 
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "msiam_access",
"displayName": "msiam_access",
"id": "<Default Guid>",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": [
"User"
],
"description": "Meraki Admin",
"displayName": "Meraki Admin",
"id": "randomly created GUID",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Meraki Dashboard Admin SAML Group name"
}
],
0 Kudos
In response to c53e
NO_4Life
Just browsing
‎Oct 8 2020 4:06 PM
‎Oct 8 2020 4:06 PM

Hey man, no idea if you ever figured this out, but if not, remove "origin": "Application", from all custom roles.  That is what AzureAD doesn't like

0 Kudos
KitCheng
Here to help
‎May 4 2022 7:40 AM
‎May 4 2022 7:40 AM

Hello Adam,

Thank you for your post, it was very helpful. I have a question, where should I access the Meraki Dashboard so I can use SSO. When I go to https://dashboard.meraki.com, I have no option to use SSO. I'm told by Meraki that I have to access the dashboard from Azure. So I went to the O365 "MyApp" and access the "Meraki Dashboard" app there. When I do that, I was redirected to Meraki and all I see is the word "true". What am I doing wrong? Your help is much appreciated.

 

KitCheng_0-1651675165578.png


Thanks
Kit

0 Kudos
In response to KitCheng
KitCheng
Here to help
‎May 5 2022 10:56 AM
‎May 5 2022 10:56 AM

Status update:

 

So, I figured out my problem.  Apparently, you should use a different email for your SAML login than your manual.  I was using my work email address as the manual logon to the dashboard.  Once I change the manual logon to another email address, SSO is now working.

 

Thanks

Kit

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.