We have been struggling for few weeks now in order trying to integrate OneLogin OpenID and Meraki Systems Manager. Unfortunately there is not too much documentation around, and the Meraki Support seems to struggle with the topic as well being not able to guide us further. Our decision to move forward is depending on the OpenID integration as it is mandatory and OneLogin is already integrated with MFA.
Is there anyone else in the Community who has managed to integrate these two already?
Just to be sure, you've seen this documentation?
Many thanks, I have seen that documentation. It does not reflect to the issue we are facing; it is about SSO to the Dashboard itself. We have that in place already and it works well.
What we are looking for is Device Enrollment authentication with Systems Manager using OpenID -- the documentation available does not talk too much about it.
OneLogin support has verified the settings are OK. We get at this point "Authentication error" from Meraki side. Would need live troubleshooting from Meraki side now, in order to tackle what goes wrong with the auth request. Looks as well there is less integration done using OpenID as there is not too much documentation to be found and the Meraki Support is neither not able to bring much more to resolution.
Hi @Alpinweiss_3 , do you have a case number associated with this issue? I can't guarantee anything, but perhaps I can do some digging from my side with that info.
Hi @Noah_Salzman sure I do have: 04333123.
Below the OpenID Settings we have worked out with OneLogin support:
|Token Issuer Claim||https://openid-connect-eu.onelogin.com/oidc/me|
|Public Keys Endpoint||https://openid-connect-eu.onelogin.com/oidc/certs|
|Public Keys Format||JWK|
(Client ID tokent has been tampered for above sample)
This setup results, as tested, to "Authentication Timeout or Invalid Credentials. Please Try Again." when trying to login via Device Enrollment.
So, a couple of things: I'm not familiar with OneLogin, but recently did an integration with PingID fed and ran into a couple of things not documented.
1. You have to send the X.509 cert in the SAML insertion.
2. Ensure that the right encoding is used in the SAML insertion also
(sorry for the heavy redaction)
If you go to Org > Administrators > SAML login history, you should be able to get the raw SAML XML
Many thanks -- as said, the SAML authentication is working fine for us and we are not looking to resolve that. OpenID is meant for Systems Manager "User authentication". There is no option for inserting X.509 in OpenID configuration either.
I am not familiar with OpenID, however OneLogin support has confirmed their side is fine and Meraki Systems Manager spits an error. We have made traces out of it. In SAML Login history I am not seeing the OpenID login attempts, as I would guess since it is not SAML what we are trying to achieve here.
I was in the same situation trying to setup OpenID with Okta. Meraki support acknowledged that there was a problem on their side, dev team applied a fix which didn't fix anything. After a while we just gave up, as working OpenID auth is not a pressing issue at the moment.