Meraki

Community

Meraki Systems Manager and OneLogin OpenID integration

Alpinweiss_3
Conversationalist
‎Oct 21 2019 7:18 AM
‎Oct 21 2019 7:18 AM

Meraki Systems Manager and OneLogin OpenID integration

Hello Community,

 

We have been struggling for few weeks now in order trying to integrate OneLogin OpenID and Meraki Systems Manager. Unfortunately there is not too much documentation around, and the Meraki Support seems to struggle with the topic as well being not able to guide us further. Our decision to move forward is depending on the OpenID integration as it is mandatory and OneLogin is already integrated with MFA.

 

Is there anyone else in the Community who has managed to integrate these two already?

 

Many thanks,

-Sam

Labels:
0 Kudos
7 Replies 7
BrechtSchamp
Kind of a big deal
‎Oct 21 2019 8:24 AM
‎Oct 21 2019 8:24 AM

Just to be sure, you've seen this documentation?

https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_...

0 Kudos
In response to BrechtSchamp
Alpinweiss_3
Conversationalist
‎Oct 21 2019 10:50 PM
‎Oct 21 2019 10:50 PM

Many thanks, I have seen that documentation. It does not reflect to the issue we are facing; it is about SSO to the Dashboard itself. We have that in place already and it works well.

 

What we are looking for is Device Enrollment authentication with Systems Manager using OpenID -- the documentation available does not talk too much about it. 

 

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication#OpenID_Connect

 

OneLogin support has verified the settings are OK. We get at this point "Authentication error" from Meraki side. Would need live troubleshooting from Meraki side now, in order to tackle what goes wrong with the auth request. Looks as well there is less integration done using OpenID as there is not too much documentation to be found and the Meraki Support is neither not able to bring much more to resolution.

 

Thanks,

-Sam

0 Kudos
In response to Alpinweiss_3
Noah_Salzman
Meraki Alumni (Retired)
Meraki Alumni (Retired)
‎Oct 29 2019 4:46 PM
‎Oct 29 2019 4:46 PM

Hi @Alpinweiss_3 , do you have a case number associated with this issue? I can't guarantee anything, but perhaps I can do some digging from my side with that info.

In response to Noah_Salzman
Alpinweiss_3
Conversationalist
‎Oct 29 2019 11:46 PM
‎Oct 29 2019 11:46 PM

Hi @Noah_Salzman sure I do have: 04333123. 

 

Below the OpenID Settings we have worked out with OneLogin support:

 

Authorization Endpointhttps://openid-connect-eu.onelogin.com/oidc/auth
Token Endpointhttps://openid-connect-eu.onelogin.com/oidc/token
Client ID0e0df7a0-cb3d-0137-6893-06d0ac4aaaaaa37165
Token Issuer Claimhttps://openid-connect-eu.onelogin.com/oidc/me
Public Keys Endpointhttps://openid-connect-eu.onelogin.com/oidc/certs
Public Keys FormatJWK

(Client ID tokent has been tampered for above sample)

 

This setup results, as tested, to "Authentication Timeout or Invalid Credentials. Please Try Again." when trying to login via Device Enrollment.

 

Best regards,

-Sam

 

 

0 Kudos
In response to Alpinweiss_3
PaulF
Meraki Employee
Meraki Employee
‎Oct 30 2019 9:53 AM
‎Oct 30 2019 9:53 AM

So, a couple of things: I'm not familiar with OneLogin, but recently did an integration with PingID fed and ran into a couple of things not documented.

 

1. You have to send the X.509 cert in the SAML insertion. 

2. Ensure that the right encoding is used in the SAML insertion also

 

Screenshot 2019-10-30 at 16.50.01.png

(sorry for the heavy redaction)

 

If you go to Org > Administrators > SAML login history, you should be able to get the raw SAML XML

0 Kudos
In response to PaulF
Alpinweiss_3
Conversationalist
‎Oct 31 2019 12:09 AM
‎Oct 31 2019 12:09 AM

Hello,

 

Many thanks -- as said, the SAML authentication is working fine for us and we are not looking to resolve that. OpenID is meant for Systems Manager "User authentication". There is no option for inserting X.509 in OpenID configuration either.

 

I am not familiar with OpenID, however OneLogin support has confirmed their side is fine and Meraki Systems Manager spits an error. We have made traces out of it. In SAML Login history I am not seeing the OpenID login attempts, as I would guess since it is not SAML what we are trying to achieve here.

 

Thank you,

-Samuli

0 Kudos
T1
Building a reputation
‎Oct 21 2019 3:00 PM
‎Oct 21 2019 3:00 PM

I was in the same situation trying to setup OpenID with Okta. Meraki support acknowledged that there was a problem on their side, dev team applied a fix which didn't fix anything. After a while we just gave up, as working OpenID auth is not a pressing issue at the moment.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.