Meraki

Community

SAML Integration with AD Self Service Plus

Solved
AnthonyJulien
New here
‎Dec 26 2024 2:56 AM
‎Dec 26 2024 2:56 AM

SAML Integration with AD Self Service Plus

Hi everyone!

 

I hope everything is fine.

I'm trying to integrate Cisco Meraki with AD Self Service, so the users can login to Meraki directly from the AD Self Service.

 

I have run the tests, but I am getting the error: Assertion contains no username and no role.

 

I'm relatively new to this SAML thing, and don't know how to resolve it.

Any help would be greatly appreciated.

 

I can see the username in the XML file, but no role? How should I be adding all of these things?

AnthonyJulien_0-1735210608255.png

 

0 Kudos
1 Accepted Solution
sungod
Kind of a big deal
Kind of a big deal
‎Dec 26 2024 3:33 AM
‎Dec 26 2024 3:33 AM

Have you defined the role(s) you want in Dashboard?

 

Org->Aministrators, scroll down to SAML administrator roles, if not you need to add at least one role.

 

The role defines what access rights a matchng user will be given.

 

Then in your AD, any user that you want to be able to login needs that role in their settings.

 

I've not used ADSSP but I see there''s a guide for Dashboard...

https://www.manageengine.com/products/self-service-password/help/admin-guide/Application/sso/merakic...

...it says....

Please make sure in Cisco Meraki the role (Organization > Administrators) maps to the department attribute and the username maps to the mail attribute in Active Directory.

 

There are also several SAML guides in Meraki documentation, for instance...

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_S...

 

 

With Dashboard SAML a user must have one role.

View solution in original post

5 Replies 5
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 26 2024 3:31 AM
‎Dec 26 2024 3:31 AM

Configuring SAML Single Sign-on for Dashboard 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
RWelch
Kind of a big deal
Kind of a big deal
‎Dec 26 2024 3:32 AM
‎Dec 26 2024 3:32 AM

Integrating Active Directory with Sign-On Splash Page For MR Access Points 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
sungod
Kind of a big deal
Kind of a big deal
‎Dec 26 2024 3:33 AM
‎Dec 26 2024 3:33 AM

Have you defined the role(s) you want in Dashboard?

 

Org->Aministrators, scroll down to SAML administrator roles, if not you need to add at least one role.

 

The role defines what access rights a matchng user will be given.

 

Then in your AD, any user that you want to be able to login needs that role in their settings.

 

I've not used ADSSP but I see there''s a guide for Dashboard...

https://www.manageengine.com/products/self-service-password/help/admin-guide/Application/sso/merakic...

...it says....

Please make sure in Cisco Meraki the role (Organization > Administrators) maps to the department attribute and the username maps to the mail attribute in Active Directory.

 

There are also several SAML guides in Meraki documentation, for instance...

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_S...

 

 

With Dashboard SAML a user must have one role.

In response to sungod
AnthonyJulien
New here
‎Dec 26 2024 5:36 AM
‎Dec 26 2024 5:36 AM

Hello!

 

Thank you so much for the help!

I did the steps exactly as you mentioned from the AD side, and the issue was resolved (although I got another error, it seems I cannot use the same email address for both regular signin and SAML signin).

So I created another user with an email address not in use yet in Meraki, and I was able to login as expected without any issues.

 

That was a quick reply as well, thank you!

In response to AnthonyJulien
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 26 2024 11:58 AM
‎Dec 26 2024 11:58 AM

ps. You can have your SAML provide pass anything for the username, such as sAMAccountName or displayName.  If you don't pass an email address you avoid this issue of existing accounts.

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.