User authentication with OpenID via Okta

Solved
T1
Building a reputation

User authentication with OpenID via Okta

Has anyone configured user auth during enrollment with OpenID Connect via Okta or any other IDP? Meraki documentation is not very detailed to say the least.

1 Accepted Solution
T1
Building a reputation

If anyone is still interested, this is how I did it.

 

In Okta create a new app, type Web.


In General Tab set the following:

Initiate login URI: https://m.meraki.com


Login redirect URIs:
merakismoauth://com.meraki.pcc
https://m.meraki.com
https://mp.meraki.com/ssp/login
https://mp.meraki.com/ssp/loginsuccess
https://portal.meraki.com/loginsuccess

 

Allowed grant types:
Authorization code
tick Implicit (Hybrid)
tick Allow ID Token with implicit grant type
tick Allow Access Token with implicit grant type

 

In MDM go to System Manager > General and scroll down to User authentication settings. Choose OpenID Connect from the drop down menu.

 

Authorization endpoint: https://TENANT.okta.com/oauth2/v1/authorize
Token endpoint: https://TENANT.okta.com/oauth2/v1/token
Client ID: XXXXXXXXXXXXXX (Okta app Client ID)
Token issuer claim: https://TENANT.okta.com
Public Keys Endpoint: https://TENANT.okta.com/oauth2/v1/keys?client_id=XXXXXXXXXXXXXXX
Public Keys Format: JWK

 

Endpoints can be looked up via this API call: https://TENANT.okta.com/.well-known/openid-configuration?client_id=XXXXXXXXXX I suppose this approach can be used with any IDP and then you need to double check what claims IDP returns to Meraki. Meraki expects "email" claim with user email as a value. Okta sends all default info in its claim so there is no need to set up a custom authorization server. With other IDPs it can be different.

 

I asked support to include this example to official docs.

View solution in original post

7 Replies 7
sshort
Building a reputation

Is this in reference to the new SSO features in macOS 10.15 Catalina? I've had trouble tracking down an example profile on the MacAdmins slack, and it's not in Apple's documentation at the moment. I have the beta installed on a test Mac, and either that feature is buried somewhere, or it hasn't even been released as part of the beta yet.

So there's a bit of work and testing before Meraki would get to it. Keep an eye on ProfileCreator for an example profile template whenever the app gets updated to support all the new Catalina profile payloads, including the SSO at enrollment profile.

PhilipDAth
Kind of a big deal
Kind of a big deal

If use client VPN with an IDP.  You can't do inline enrollment.

 

If you are referring to splash page based authentication then you wont be able to do it out of the box.  You would need to create a custom host splash page that allowed it.

T1
Building a reputation

No, this is about authenticating users during enrollment. At the moment they authenticate via Azure AD which was very easy to set up. Other options include G-Suite or Open ID which I'm trying to configure against Okta.

 

Logs don't register any events related to authentication and Meraki Open ID set up instructions are appalling at best.

beks88
A model citizen

@T1 do you use Azure AD with DEP enrollment, because the docs state that this isn't supported yet

 

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication

 

I wasn't able to test it until yet

PhilipDAth
Kind of a big deal
Kind of a big deal

We use Azure based enrollment but we only have Android devices.

T1
Building a reputation

We do BYOD enrollment via Azure for all staff devices at the moment. DEP is for service devices: wall iPads, demo iPads/iPhones, room Macs etc. and we don't need any additional layer of auth here even if it was supported.

 

Meraki doesn't offer native Okta or SAML at enrollment, so the only option is Open ID protocol which Okta supports. After discussing with Support yesterday, looks like there is something off in Meraki backend and OPs team is looking into it.

T1
Building a reputation

If anyone is still interested, this is how I did it.

 

In Okta create a new app, type Web.


In General Tab set the following:

Initiate login URI: https://m.meraki.com


Login redirect URIs:
merakismoauth://com.meraki.pcc
https://m.meraki.com
https://mp.meraki.com/ssp/login
https://mp.meraki.com/ssp/loginsuccess
https://portal.meraki.com/loginsuccess

 

Allowed grant types:
Authorization code
tick Implicit (Hybrid)
tick Allow ID Token with implicit grant type
tick Allow Access Token with implicit grant type

 

In MDM go to System Manager > General and scroll down to User authentication settings. Choose OpenID Connect from the drop down menu.

 

Authorization endpoint: https://TENANT.okta.com/oauth2/v1/authorize
Token endpoint: https://TENANT.okta.com/oauth2/v1/token
Client ID: XXXXXXXXXXXXXX (Okta app Client ID)
Token issuer claim: https://TENANT.okta.com
Public Keys Endpoint: https://TENANT.okta.com/oauth2/v1/keys?client_id=XXXXXXXXXXXXXXX
Public Keys Format: JWK

 

Endpoints can be looked up via this API call: https://TENANT.okta.com/.well-known/openid-configuration?client_id=XXXXXXXXXX I suppose this approach can be used with any IDP and then you need to double check what claims IDP returns to Meraki. Meraki expects "email" claim with user email as a value. Okta sends all default info in its claim so there is no need to set up a custom authorization server. With other IDPs it can be different.

 

I asked support to include this example to official docs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels