Just been through this exercise with SAML and roles. The issue in not with Okta. Meraki implementation is very lacking. To make this work, you effectively need a role for every unique combination of Orgs and Networks. In our case that's nearly every user. Local admins, you can specify Org (None/RO/Full) + any combination of networks. SAML you can only provide a single Role that defines a fixed Org+Networks. We have several 100 sites (networks) with local administrators. Many support multiple sites. That would equate to several 100 roles. At the moment we can only provide SAML to Global Org admins, due to this limitation. It's simple to fix. Meraki just needs to Split the Role attribute in to Org, TargetsRO and TargetsRW (Multivalue) which can be populated with values (Group names) This is basically how other vendors impliment it. Either that they just bin the SAML Role and use the local Administrators permissions, so users can log in via local auth or SAML.
... View more
