SAML redirects to meraki login page.

Geo
Comes here often

SAML redirects to meraki login page.

I am using an internal SAML 2.0 Provider.
It provides a 509 certificate and needs:
1. Entity ID
2. ACS HTTP Post URIs
3. Target Application URL (the url that redirects to after login)

I added the fingerprint and got a Consumer URL https://n121.meraki.com/saml/login/******/***********.

I filled the Entity ID with https://dashboard.meraki.com, and ACS, TargetURL with the Consumer URL in my SAML Provider.

The provider generates a login url that looks like this https://preprod.login.******.com/saml/sps/saml20ip/saml20/logininitial?RequestBinding=HTTPPost&Partn...

 

After using my SAML login I am redirected to the meraki login page and asked to enter my credentials.

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

First, note that only Idp initiated SAML is supported.

 

So you'll need your Idp to have some kind of dashboard that you can add Meraki into as an app.

 

Check out this setup guide.

https://documentation.meraki.com/General_Administration/Managing_Dashboard_Access/Configuring_SAML_S... 

Geo
Comes here often

It uses IdP as the url that is generated is called IDP-Initiated Login URL

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure you are passing an attribute called "username"?

 

 

IdP Attribute Information

Certain attributes are required by most IdPs. The following list outlines these attributes, and where to find that information in Dashboard:

  • Entity ID
    For Dashboard SSO, this is https://dashboard.meraki.com
  • Assertion Consumer Service (ACS) URL
    This is provided as the Consumer URL on the Organization > Settings page under SAML Configuration. It will be unique for each organization.
  • Username attribute

A username attribute must be passed in the SAML token/assertion, specifically 'https://dashboard.meraki.com/saml/attributes/username'. This includes the name the user will be identified as in Dashboard. Mapping this to an e-mail address is strongly recommended.

Note: This attribute cannot match an existing Dashboard administrator or Meraki Authentication user's email address.

Note: Dashboard will only accept one role attribute. If multiple roles or group memberships are provided, the first attribute will be used.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.