Meraki

T1 · ‎Jun 28 2019

Has anyone configured user auth during enrollment with OpenID Connect via Okta or any other IDP? Meraki documentation is not very detailed to say the least.

T1 · ‎May 28 2020

If anyone is still interested, this is how I did it.

In Okta create a new app, type Web.

In General Tab set the following:

Initiate login URI: https://m.meraki.com

Login redirect URIs:
merakismoauth://com.meraki.pcc
https://m.meraki.com
https://mp.meraki.com/ssp/login
https://mp.meraki.com/ssp/loginsuccess
https://portal.meraki.com/loginsuccess

Allowed grant types:
Authorization code
tick Implicit (Hybrid)
tick Allow ID Token with implicit grant type
tick Allow Access Token with implicit grant type

In MDM go to System Manager > General and scroll down to User authentication settings. Choose OpenID Connect from the drop down menu.

Authorization endpoint: https://TENANT.okta.com/oauth2/v1/authorize
Token endpoint: https://TENANT.okta.com/oauth2/v1/token
Client ID: XXXXXXXXXXXXXX (Okta app Client ID)
Token issuer claim: https://TENANT.okta.com
Public Keys Endpoint: https://TENANT.okta.com/oauth2/v1/keys?client_id=XXXXXXXXXXXXXXX
Public Keys Format: JWK

Endpoints can be looked up via this API call: https://TENANT.okta.com/.well-known/openid-configuration?client_id=XXXXXXXXXX I suppose this approach can be used with any IDP and then you need to double check what claims IDP returns to Meraki. Meraki expects "email" claim with user email as a value. Okta sends all default info in its claim so there is no need to set up a custom authorization server. With other IDPs it can be different.

I asked support to include this example to official docs.

View solution in original post

sshort · ‎Jun 28 2019

Is this in reference to the new SSO features in macOS 10.15 Catalina? I've had trouble tracking down an example profile on the MacAdmins slack, and it's not in Apple's documentation at the moment. I have the beta installed on a test Mac, and either that feature is buried somewhere, or it hasn't even been released as part of the beta yet.

So there's a bit of work and testing before Meraki would get to it. Keep an eye on ProfileCreator for an example profile template whenever the app gets updated to support all the new Catalina profile payloads, including the SSO at enrollment profile.

PhilipDAth · ‎Jun 28 2019

If use client VPN with an IDP. You can't do inline enrollment.

If you are referring to splash page based authentication then you wont be able to do it out of the box. You would need to create a custom host splash page that allowed it.

T1 · ‎Jul 2 2019

No, this is about authenticating users during enrollment. At the moment they authenticate via Azure AD which was very easy to set up. Other options include G-Suite or Open ID which I'm trying to configure against Okta.

Logs don't register any events related to authentication and Meraki Open ID set up instructions are appalling at best.

beks88 · ‎Jul 3 2019

@T1 do you use Azure AD with DEP enrollment, because the docs state that this isn't supported yet

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication

I wasn't able to test it until yet

PhilipDAth · ‎Jul 3 2019

We use Azure based enrollment but we only have Android devices.

T1 · ‎Jul 3 2019

We do BYOD enrollment via Azure for all staff devices at the moment. DEP is for service devices: wall iPads, demo iPads/iPhones, room Macs etc. and we don't need any additional layer of auth here even if it was supported.

Meraki doesn't offer native Okta or SAML at enrollment, so the only option is Open ID protocol which Okta supports. After discussing with Support yesterday, looks like there is something off in Meraki backend and OPs team is looking into it.

T1 · ‎May 28 2020