The new page shows more granular permission sets - unfortunately I've not (ever) tied the cameras or roles to SSO/SAML but thought it was worth mentioning as it has more granular usability.
A visual aid might help. Within the Meraki Enterprise Application in Azure, the Single Sign-On with SAML has a section about your SAML claim and its attributes.
In documentation, Meraki says they CAN receive more than 1 role but that SAML token must present as a semicolon separated list.
For an enterprise level deployment I might have cameras in BuildingA, BuildingB and so on. So building Entra ID (Azure AD) groups usually by building (or site), I have a group SG-CAM-BldgA-ViewLive (with an associated App role cam_bldga_viewlive) ... and so on.
So if a user appears in multiple groups and that user goes through the single sign on - I want it to send that multiple group membership (also called multiple roles) back in the SAML token so that upon authentication that user is given the access to each role received in the token.
There are 3 or 4 articles that have pieces of the SAML puzzle and this one says it supports multiple roles being passed: Configuring SAML Single Sign-on for Dashboard - Cisco Meraki Documentation
But as detailed a configuration example as is provided in this Azure specific EA setup: Configuring SAML SSO with Microsoft Entra ID - Cisco Meraki Documentation they stop without saying "and here is how you could pass more than one role" which is absolutely maddening when you have multiple sites and buildings to give only that access that is needed in the performance of ones job function.
Hi Ryan,
I did look at the full xml just before leaving on Friday but was racing to the doctor. It really looks like a sample login passed multiple groups:
(If I'm reading the above correctly - this is the details of the SAML history of a login assigned to multiple groups). But when I logged in as that test user, I see only cameras associated with the mcam_viewlive_az.
Under Org -> Camera and Sensor Roles I defined those names limited access but network and tag (copy/pasting the relevant bits):
And I guess its picking up the meraki_read from Org > Administrators > SAML administrator roles.
Part of the confusion for me is definitely that some documents point to definition in both Org > Administrators of Org > Camera and Sensor Roles but perhaps that is just me "merging" topics? Clearly the XML clip seems to show both. Where SHOULD the Meraki side roles be done?
This is starting to get a bit complex to explain via a post ...
There are multiple approaches. This is a simpler approach.
Go to entra.microsoft.com, App Registrations.
Search for your application.
In your Meraki Dashboard application, click on App Roles.
Create as many new roles as required.
Now go back to entra.microsoft.com, Applications/Enterprie Applications.
Search for and go into your Meraki Dashboard application.
Go to users/groups.
Now either add a new user, or select an existing user and edit their assignment. Assign them one of the new roles that you created.
This app role registration, then association to dedicated security group is how I set it up. For example:
The above app roles are associated to two different Entra groups, and my non-admin account is in both of the groups:
But when I login, I see only the cameras from the AZ grouping. And the names in Camera and sensor role management do match identically the app registration names.
Thank you for the reply!
That has us building any number of groups to support a campus and multiple sites. I have never run into an application that says it has a the ability to support multiple roles where the solution is to forego roles and everytime there is a new combo we create a new group and add those distinct set of users to the new group.
I am beginning to believe the integration does not work as advertised and that you are absolutely correct.
But from this Meraki Document:
It is supposed to support multiple role assignments.
