- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML SSO vs Local Administration Account
Hi folks,
Is there any way to override the current limitation when the same account name attempts to log in to different organizations, being SP-Initiated SAML SSO enabled on one of them and the account locally provisioned on the second organization?
Regards,
JC
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configure all my SSO to Meraki setups to send sAMAccountName instead of email address/UPN. Then the SAML username is guaranteed to be unique from any existing Meraki Dashboard account (which uses email addresses).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configure all my SSO to Meraki setups to send sAMAccountName instead of email address/UPN. Then the SAML username is guaranteed to be unique from any existing Meraki Dashboard account (which uses email addresses).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How or why do you want it to be Unique? How can I have 1 SAML user that can access multiple companies?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To have a SAML user to be able to access multiple dashboards you just copy the the SAML configuration in one dashboard to the other one you also want them to be able to access it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Philip, for some reason it didn't work for SP-Initiated SAML SSO when I tested it but I will give it a try again out of curiosity. It would not really meet the requirements of our security posture but it could be a good workaround in some other scenarios.
To be honest, I could not have figured out that the "username" SAML attribute value could be anything but an email address, as it happens for locally defined accounts.
Regards,
JC
![](/skins/images/7B34708A1980CF5E136B7318F0CE9B4A/responsive_peak/images/icon_anonymous_message.png)