SSO with multiple IDPs

Solved
Chema-Spain
Getting noticed

SSO with multiple IDPs

Hi,

 

We have a customer Org in a shared management scheme (both customer and our accounts have write privileges).

 

We already had deployed SSO for our corporate users (validating in our Az AD IDP), leaving customer users as local managers in the dashboard.

 

Now customer is requiring SSO too. I've seen you can configure multiple IDPs at Org level. So we will deploy another IDP for the customer.

 

However, I do not know how it works. Both SSO would follow the IDP initiating model.  I've seen nothing in the dashboard that could associate each @domain to their own IDP. I've seen nothing in the meraki documentation or community so far.

 

Should I assume each time a user logs in the dashboard it would try to authenticate in first IDP in the list and in case it is not authenticated it will try with the second one?

 

Thanks for your support.

1 Accepted Solution
Chema-Spain
Getting noticed

I think I can answer myself:

 

As it is IDP initated model, you first go to your IDP and then redirected to the dashboard only in case you pass your IDP authentication. So no issues here:

 

The customer would go to directly to authenticate against its IDP and our users to our Az AD. 

 

Sorry, I just think it deeply once I had opened the topic.

View solution in original post

3 Replies 3
Chema-Spain
Getting noticed

I think I can answer myself:

 

As it is IDP initated model, you first go to your IDP and then redirected to the dashboard only in case you pass your IDP authentication. So no issues here:

 

The customer would go to directly to authenticate against its IDP and our users to our Az AD. 

 

Sorry, I just think it deeply once I had opened the topic.

PhilipDAth
Kind of a big deal
Kind of a big deal

You are correct - that is exactly how it works.  Using multiple IDPs is not an issue.

 

When I do IDP setups, I tend to embed the company's name that owns the IDP in the SSO role name.  For example:

companya_admin

companya_readonly

companyb_admin

companyb_readonly

 

Note that there is "some" support for SP initiated logins, but you have to configure a magic sub-domain.  I think it is a good first step, but I don't consider it worth using at the moment.  Customres are better off using their providers IDP portal (unless you are using the crap Azure IDP portal, and then you'll have to decide what is the least of the two poor aproaches).

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/SP-Initiated_SAML_... 

Chema-Spain
Getting noticed

Thanks for your response.

 

Yes, I see Meraki has recently added the SP-initiated SAML option that requires the new early access configuration. However, we will still deploy the IDP-initiated unless we could see any advantage using the SP-initiated.

Get notified when there are additional replies to this discussion.