Could we add different user roles using single X.509 cert SHA1 fingerprint ? or we need to create another IdP for different roles? such as
ADMIN role will be using X.509 cert SHA1 fingerprint AAAA
USER role will be using X.509 cert SHA1 fingerprint BBBB
thanks
No need for multiple IDPs. Define SAML roles:
another question is, should the role on IDP defined before tokens generated?
for an example, if i have already create role "ADMIN" on my IDP (Jumpcloud) then generate SHA1 token, and filled it on meraki dashboard.
and in another moment, i need to add new role "USER" on my IDP, should i generate the new SHA1 token? and filled it again on meraki dashboard?
No - you don't get the option to define roles until the basic SAML IDP setup has been done. Multiple roles can be used against the same IDP
so, is that mean when i want to add new role such as "MONITOR", it will use the same SHA1 tokens as "USER" and "ADMIN" ?
Yes - remember that those credentials are used to verify your IDP, not the individual user; that IDP will separately have to authenticate each user.
If the mapping of Role between the IdP side and the Meraki Dashboard side is consistent, this can be achieved with a single IdP.
For example, in the case of Duo Security.
* admin@example.test: Belong to Admin Group
Duo Central -> Meraki Icon/Tile -> Admin Group is mapped to ADMIN Role -> Meraki Dashboard - ADMIN Role
* user@example.test: Belong to User Group
Duo Central -> Meraki Icon/Tile -> User Group is mapped to USER Role -> Meraki Dashboard - USER Role
Note: Duo Central is the portal for Single Sign-On provided by IdP.