SAML SSO Entra ID “prompt=select_account”

Pached
Here to help

SAML SSO Entra ID “prompt=select_account”

Good Day

I have integrated Meraki into Azure EntraID (SAML SSO SP initiated.)

 

My Azure User account (login for many employee apps) is firstname.lastname@parl.gc.ca. My Azure Admin account (login for Meraki Dashboard) is azure.firstname.lastname@org.com. When authenticating to most employee apps they prompt asking me to sign-in, Meraki Dashboard SSO does not. It automatically tries my user account which fails. The sign-in box prompt works when using incognito/private browser. It also works if I login to something else with my Azure Admin account because it is cached.

 

How do I ensure the sign-in prompt always prompts? According to Microsoft this can be achieved by appending “&prompt=select_account” parameter in the URL. Here is the reference article:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

prompt=select_account             interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

 

 

If I go to https://org-name.sso.meraki.com I get redirected to https://n1.meraki.com/login/dashboard_login/org-name?eid=JYDZDc9wb&sso=true

 

The “Log in with SSO” link is:

https://login.microsoftonline.com/d35fe7ad-abdf-4422-8ef9-8234b7a904/saml2?SAMLRequest=fZFLS8QwFIX%2FSndZpe1k%2BgxtoTgIAyqi4sKNpEnqBPOouSnqv7ftIOhCN1kk38k599wGmNET7edwsnfybZYQosNyKMuCcrZFpxAmoEmi3YuysVHcO3BjcFYrK2PuTCL2%2BShLJjAbxIizjBBcybHGFdlnQ8ZLVqdZstoQFB0PLXpm9a4q62rBqpLhrJAjroQYcCEGwvK8ElzUCwowy6OFwGxoEUlJjtMck%2FphV9A8o2nxhKJH6WFLSeIURR9GW6CrU4tmb6ljoIBaZiTQwOl9f31FF5AyAOnX6X5Kpv81k3fBcadR16w03dL57rud5Vngk%2BMxgIuN9OxVrd00yU%2B4OXd9s3x%2BPNw6rfhn1Gvt3i%2B8ZEG2KPhZoujSecPC33F28W67UQKPG0qlYUr3QngJgJLu7Pp7qd0X

 

If I manually append “&prompt=select_account” after the “SAMLRequest=value” it works, I get the sign-in prompt:

 

https://login.microsoftonline.com/d35fe7ad-abdf-4422-8ef9-8234b4c7a904/saml2?SAMLRequest=fZFLS8QwFIX...&prompt=select_account

 

Is there a way that we can set the  “&prompt=select_account” after the “SAMLRequest=value” ?

 

Thanks,

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know.

The entire concept of SSO is that you sign in once.  It is designed to use the "current" signed-in user account.

 

Pached
Here to help

Hi Philip, I get what you are saying but I am using Meraki's SSO less for single sign on and more for Centralized Identify and Access Management (IAM) purposes. i.e. employee gets fired today, his access will be immediately centrally revoked in Entra ID, SSO is the way to make that happen. 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I took a look at that document, but it is for OAUTH, not SAML.  The dashboard uses SAML authentication.

Pached
Here to help

you are correct, it is an oauth doc. However, I believe that parameter is still applicable in SAML.

Get notified when there are additional replies to this discussion.