Skip to main content

 

Cisco Meraki Documentation

Configuring SAML SSO with ADFS

This article provides an example walk-through of configuring Active Directory Federation Services as an identity provider (IdP) for the Cisco Meraki Dashboard. It is recommended that administrators read the article on SAML integration for Dashboard before proceeding. It is assumed that Active Directory and Federation Services are already installed and basic configuration is complete. For additional information on configuring AD FS, refer to Microsoft's deployment guide

The steps in this article only cover an example of creating the necessary integration with Dashboard. Exact implementation may differ based on environment and Active Directory implementation. However, the username and role attributes described below must be provided in the SAML assertion/token.

Note: The pictures/configuration steps in this article should only be used as a guideline as attribute names may have changed with Windows Server updates.

 

Create Relying Party Trust

 

  1. Open the AD FS management console.
    1. Start > Administrative Tools > AD FS 2.0 Management.
  2. Click on the top level folder (AD FS 2.0) and click Add Relying Party Trust from the Actions menu.
    e36a9777-d1f7-4d0b-9d84-6ebc3732c5bd
  3. Click Start to begin configuring a relying party trust for Dashboard.
  4. Choose to Enter data about the relying party manually. Then click Next.
    fd132bb8-53bf-4c85-bc23-3fd5e6ec3a2f
  5. Enter a Display name, which will displayed in the management console and to users connecting to Dashboard. Then click Next.
    Note: In this example, "Meraki Dashboard" has been used.
    d00b7d77-f3aa-4825-a511-8c2b299899e5
  6. Choose AD FS 2.0 profile. Then click Next.
    1d94c23b-9ef2-493a-a2e2-2f8731719b6a
  7. Skip the Configure Certificate step by clicking Next.
  8. Check the box to Enable support for the SAML 2.0 WebSSO protocol.
    1. In the text field, enter the Consumer URL from Dashboard under Organization > Settings > SAML Configuration. (If you do not yet have a Consumer URL, first follow the steps for generating a fingerprint below.)
    2. Click Next.
      5f1f4c95-144d-4b56-8b62-6b9405d16cef
  9. For the Relying party trust identifier enter "https://dashboard.meraki.com". Then click Add and Next.
    Note: The value of this field is required by AD FS, but is not used.
    8af0396f-72ff-4161-a041-86d01cf35a85
    024ffe61-9b06-46bc-b07d-d9b63e6383eb
  10. Choose default issuance authorization rules based on preferred security behavior. For this example, choose Permit all users to access this relying party. Then click Next.
    Note: If choosing to deny users by default, explicit authorization rules would need to be added later. These steps are not covered in this article.
    fe775e8f-4ef2-483a-8196-45935edc58e1
  11. Ensure the box to Open the Edit Claim Rules dialog... is checked. Then click Close.
    a7f08e81-cfd4-4cc5-8db5-f6b75e600afe

Configure Username Attribute

  1. In the Edit Claim Rules dialog, under the Issuance Transform Rules tab, click Add Rule.
    081166bb-fa4c-44c4-bc60-fee09352f0ac
  2. For Claim rule template, choose to Send LDAP Attributes as Claims. Then click Next.
    6c0ac79e-2688-4cc8-9f76-85f3bd08cd2e
  3. Configure a SAML attribute for usernames.
    1. Set the Claim rule name as "Username".
    2. Set the Attribute store as Active Directory.
    3. Select the LDAP Attribute that will be sent to Dashboard as the username. As this will appear in multiple locations and should be unique to each user, selecting E-Mail-Addresses or another unique characteristic is strongly recommended.
    4. Set the Outgoing Claim Type to "https://dashboard.meraki.com/saml/attributes/username".
    5. Click Finish.
      b2692380-1df5-43a1-b282-01c9d2922824

Configure Role Attribute

  1. In the Edit Claim Rules dialog, under the Issuance Transform Rules tab, click Add Rule.
  2. For Claim rule template, choose to Send Group Membership as a Claim.
    60c6e574-5f06-46f1-8966-021345dcbdfd
  3. Configure a SAML attribute for roles.
    1. Set the Claim rule name to "Role".
    2. Click Browse to select a group that should receive this role.
    3. Set the Outgoing claim type to "https://dashboard.meraki.com/saml/attributes/role".
    4. In Outgoing claim value enter the value for a Role created in Dashboard under the Organization > Administrators > SAML administrator roles.
      Note: The role value in the attribute must match a role in Dashboard for the user to gain access.
    5. Click Finish.
      edb2ac7b-9eb9-4ee7-b1c8-627196cfe2ce
      kb1.png

Configure Dashboard Settings

  1. In the management console, navigate to AD FS 2.0 > Service > Certificates.
    5231f7b0-2f6b-4777-8efb-21e8622718e2
  2. Double-click on the certificate under Token-signing.
    020cb68a-4244-4792-8719-1869aff7ff83
    • Under Details > Thumbprint, copy this string paste into the X.509 cert SHA1 fingerprint field in Dashboard under Organization > Settings > SAML Configuration. Replace any spaces with colons. Be sure to use all capital letters, otherwise Dashboard will return "the Fingerprint needs to be a colon-delimited hex value" as an error.
      2742edb2-8e2e-40bc-9c2c-acf51c77634d

Screenshot 2024-02-13 at 4.45.54 PM.png

  1. (Optional) To redirect users back to the AD FS login page after logging out of Dashboard, follow these steps.
    1. In Dashboard, navigate to Organization > Settings > SAML Configuration.
    2. In the SLO logout URL, enter "https://<SERVER_URL>/adfs/ls/idpinitiatedsignon.aspx".
      Replace "<SERVER_URL>" with the IP address or DNS name of the of the AD FS server.
    3. Click Save Changes.

Screenshot 2024-02-13 at 4.44.21 PM.png

At this point, users authenticating with AD FS will be able to select "Meraki Dashboard" as a site to sign into. 

46fae5e0-5ec1-4431-82b6-47c6e391a799

If users are not able to successfully connect to Dashboard and receive an error, ensure that:

 

  • Claim rules have been created for the username and role attributes as described above.
  • The desired SAML administrator role has been created in Dashboard.
  • The user is allowed to use the application, based on any authorization rules configured in AD FS.

 

If encountering issues, refer to Organization > Administrators > SAML administrator roles > SAML login history for recent login attempts and resulting errors (if any).

812515.png

 

For additional information on resolving possible error messages, please refer to the article on SAML Login History Error Messages.

For more information on Dashboard permissions and administrator types, refer to the article on managing administrative users.

  • Was this article helpful?