SAML/SSO with RSA securID


SAML/SSO with RSA securID

Hi Everyone,
I am currently trying to setup the SSO login for administrators on the Meraki dashboard.

We're using RSA SecurID for our idp, if I setup rsa to return a constant value for the role, it works, but if I setup RSA to return "memberOf" or "virtualGroup" it doesn't work. The return value in saml xml shows that the whole list of groups is returning, which make sense, shouldn't meraki be able to handle that?

Neither if I setup RSA SecurId tor return all value separated by a coma or separated attribute value.
Has anyone succeeded in setup RSA SecurID with Meraki?


Building a reputation

As far as I've been able to understand it, Meraki will only handle first entry in the role attribute, so if the Meraki role is not the first in the list, it will not work.

I have asked our ADFS colleagues to send in the role attribute the memberOf group which only contains a specific string.

Kind of a big deal

I'm assuming this is SAML for Dashboard authentication.  You must return a role attribute with a single value - that being the permission you want the user to be given.


Hmm Ok,  so basically you almost have no choice than returning a single value, in my case look like with rsa securid I'll have to create 2 configurations, with different static role has    Look to me that their implemenation of saml for meraki's  dashboard administration is very limited.

The easy way I did this was just by setting the attribute "aCSPolicyName" to the SAML role I defined in the Meraki Dashboard. This was an unused attribute in AD that is sometimes used to set ACLs for users. Doing this allowed me to be able to support multiple rules with a single policy. It especially comes in handy if you switch to SP initiated SAML since you have to define the Apps for those in RSA.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.