Meraki

Community

Configuring Single Sign On (SSO)

CourtneyB
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Aug 2 2019 10:49 AM
‎Aug 2 2019 10:49 AM
 

SAML (Security Assertion Markup Language) can be used with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On). This module will provide an overview of how SAML works with Dashboard, configuration instructions in Dashboard, and information required to configure SAML with external platforms.

 

SAML Overview

When using SAML, there are three key elements:
  • User - The client that is attempting to log-in to a service provider (Dashboard).
  • Identity Provider (IdP) - The authority on a user's identity. It know's the user's username, password, and any groups/attributes. Typically a portal where the user logs in.
  • Service Provider (SP) - The application the user wishes to use. In this case, Dashboard.
When using SAML with Dashboard, the user must first authenticate with the IdP. This is referred to as IdP-initiated SAML. After the user has successfully authenticated and been directed to Dashboard, they will be granted access if they have a valid role and the IdP is correctly configured. Note: Only IdP-initiated SAML is supported at this time. 9804f58c-e175-4234-ba25-e68b171846a4  

Dashboard Configuration

There are two steps necessary to set up SAML SSO in Dashboard:
  • Enable SAML SSO for each Organization
  • Create SAML Roles in Dashboard for each Organization

Enable SAML SSO for the Organization

  1. On the Organization > Settings page, navigate to the SAML Configuration section. Note: If this section does not appear, open a case with Cisco Meraki support to have it enabled.
  2. Change SAML SSO to "SAML SSO enabled".
  3. Provide the X.509 cert SHA1 fingerprint, which will be 20 pairs of hex characters separated by colons (:). This will come from the X.509 certificate on the IdP.
    • If opening the .crt file in Windows, go to Details > Thumbprint to view the fingerprint. Simply copy this and replace the spaces with colons.
    • Windows: 3805feff-e2e1-4fdc-b2ca-251c0a513c88
    • Dashboard:
  4. (Optional) Provide a SLO logout URL. This is where users will be directed when they logout of Dashboard.
    • Generally, this is a URL on the IdP that logs the users out of the IdP and other services.
    • This can also simply direct users to a homepage or other portal after logging out of Dashboard
  5. Click Save changes.

Create SAML Roles in Dashboard

The Organization > Administrators page will now have a SAML administrator roles section. This section is used to assign permissions to user groups in Dashboard. When SAML users log-in, they will be granted whatever permissions have been assigned to the 'role' attribute included in the SAML token provided by the IdP.   To create a new role, click Add SAML role. Assignment of permission to these roles is identical to that of normal users. The article on managing administrators can be followed for assigning permissions to roles. Once complete, click Create admin and then Save changes.  

Configuring the Identity Provider

IdP configuration instructions will vary depending on the vendor, please refer to your IdP vendor-specific documentation for details. The following articles outline configuration instructions for two common IdPs: Also, see Meraki Documentation.
 
Previous: Creating a New Customer Organization                                                   Next: Branding and Customization
0 Kudos
Subscribe
1 Comment
How to use this site
  • To receive notifications for new content, go to the Options menu (above) and select Subscribe.
  • If you find a resource helpful, give it kudos! (The little green arrow below each post: )
  • Please ask any general MSP-related questions in the MSP forum.
Additional resources
© 2024 Cisco Systems, Inc.