Meraki

Community

Migrating to dashboard admins to SSO, now cannot add new VPN user

Solved
pematthe
Here to help
2 weeks ago
2 weeks ago

Migrating to dashboard admins to SSO, now cannot add new VPN user

Were migrating our dashboard admins to SSO and have found that deleting the local admin account to force the use of SSO, also deletes their VPN user account - didn't expect that!

 

The work around is to create a new user 'guest' account for the MX VPN service and email new credentials to the user.  One has worked OK, the next one failed "A user with the email 'xxxxxxxxxxx' already exists".  We cannot find that account anywhere.  It is not in the dashboard admins or existing VPN users.  

 

It was used for SSO so we have tried with the account in the M365 SSO user list and without.  Neither makes a difference.  I have seen other threads on the forum that once dashboard knows about an account in SSO, it doesn't let it go, there's no option to remove the record of it.  Strange as another user SSO account allowed us to create a guest VPN without issue.

 

Anybody else seen this when migrating to dashboard SSO?

Labels:
0 Kudos
1 Accepted Solution
pematthe
Here to help
Friday
Friday

UPDATE.

A bug or undocumented feature.  The backend SAML was stuck and would not allow a user to be created in the UI.  Either VPN or as an administrator.

 

SOLUTION.

Disable SAML for 5 minutes.  Recreate the user in either VPN or Administrator UI and re-enable SAML.  It seems to reset the SAML 'remembered' accounts and allowed the user to be in SAML for admin access and also a local account for VPN.  

 

 

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
2 weeks ago
2 weeks ago

Maybe it will help you:

 

https://community.meraki.com/t5/Dashboard-Administration/Setting-up-SAML-for-2-Meraki-tenants-one-Az...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
pematthe
Here to help
2 weeks ago
2 weeks ago

Thanks for the idea, but I have already changed that SAML parameter.  I have opened a support ticket, maybe they can suggest something.

0 Kudos
In response to pematthe
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

If you have changed that parameter then it is *impossible* for it to conflict with an existing account.  It doesn't pass an email address anymore as the username; it passes the display name - and local Meraki accounts won't let you create such an account.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

What username is the SAML log seeing?

 

PhilipDAth_0-1740081850700.png

 

PhilipDAth_1-1740081867479.png

 

0 Kudos
In response to PhilipDAth
pematthe
Here to help
a week ago
a week ago

pematthe_0-1740388971228.png

A name, not an email.

 

Apparently, from the support engineer, the backend and fronted UI are out of sync and cannot reconcile the account between local and SAML - a proper bug / issue / problem.  It is also not possible to access, clear, reset and remove a SAML ID by an administrator to clear issues like this.  The recommendation is to disable SAML, leave for 10 minutes and then re-enable.  

I will be doing that today sometime and update the thread here with the result.

0 Kudos
pematthe
Here to help
Friday
Friday

UPDATE.

A bug or undocumented feature.  The backend SAML was stuck and would not allow a user to be created in the UI.  Either VPN or as an administrator.

 

SOLUTION.

Disable SAML for 5 minutes.  Recreate the user in either VPN or Administrator UI and re-enable SAML.  It seems to reset the SAML 'remembered' accounts and allowed the user to be in SAML for admin access and also a local account for VPN.  

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.