This article provides an example walk-through of configuring Azure Active Directory as an identity provider (IdP) for the Cisco Meraki dashboard. This helps consumers who want to move their Active Directory on a cloud platform like Azure to integrate SAML SSO with the Meraki dashboard. It is recommended that administrators read the article on SAML integration for Dashboard before proceeding.
When configuring the Role field, it is recommended to not use space within the text strings as best practice
Setup on Azure
On the Azure Portal, navigate to Azure Active Directory > Enterprise Applications > New Application > Select Non-Gallery application within the new tile. Provide a name to the application and click on Add.
Generate SHA-1 certificate
To generate the SHA-1 certificate, follow the given steps:
- Within the newly created Application, navigate to Single sign-on under the Manage option.
Select the SAML tile.
Click the edit pencil under the SAML Signing Certificate section.
In the new window that will pop-up, select New Certificate and leave Signing Option as Sign SAML assertion.
Change Signing Algorithm to SHA-1 and save the configuration.
- Right-click on the Inactive certificate and Select Make Certificate Active
- When you receive the following message, Click Yes.
"Activating your certificate. You are about to activate an inactive certificate. To Prevent application downtime, ensure that this certificate has been successfully onboarded to your application on the application's site."
Download the certificate as Base64 certificate download and look for Thumbprint under Details tab
Copy the SHA1-Fingerprint and edit it using the following format: xx:xx:xx...
For example, if the fingerprint is 12hdlo9873jdnm0984hrti2ashlfjhkto447823h then modify it to 12:hd:lo:98:73:jd:nm:09:84:hr:ti:2a:sh:lf:jh:kt:o4:47:82:3h
- Enter the copied fingerprint in the X.509 cert SHA1 fingerprint field under Organization > Configure > Settings > SAML Configuration in the dashboard and select Add a SAML IdP
Follow the below steps for configuring single sign-on:
- Within the newly created application on Single sign-on under the Manage option.
Click the edit pencil under the Basic SAML Configuration section.
Type https://dashboard.meraki.com in the Identifier (Entity ID) field.
Enter Consumer URL which you get after entering the SHA-1 certificate in the Meraki dashboard and save the configuration.
Adding Multiple Roles to a Single Enterprise Application
Steps to add roles:
- Within the Azure Active Directory, navigate to App Registrations under Manage
Select the newly created application, in this case, Meraki Lab SSO
Under Manage, choose the Manifest option, this will open a JSON editable interface.
All the roles that are created under SAML roles in the Meraki dashboard are mapped here.
To add these roles, a unique id (GUID) per role is needed. You can use the following GUID generator.
Edit the section under appRoles
You can keep adding roles like this, with unique displayName, id and value, ensuring the value field matches the configured SAML role in the dashboard. For more clarity and recommended steps refer to the Microsoft article on how to add app roles.
Adding Meraki Custom Claims
Custom claims can be added from the newly created Azure enterprise application by following the below steps:
- Navigate to Manage > Single sign-on
Click on the edit pencil, under User Attributes & Claims and select Add new claim.
Fill the fields as per the image below, to map the user’s principal name from Azure AD to login name for the Meraki dashboard.
To map the RBAC role that was added in the JSON window to the SAML roles in the Meraki dashboard, follow the same steps as mentioned above by starting with adding a new claim.
Map Roles to Each User/or Groups
Steps to map roles to each user or groups:
- Navigate to your Newly Created Enterprise Application and select Users and Groups under manage.
- Click on the Add User button and select the desired users / or groups.
- Select the Role you want to assign to these Users / or groups.
The login URL can be provided to users who have access to SAML roles, allowing them to successfully login into the Meraki dashboard.
If encountering issues, refer to Organization > Administrators > SAML administrator roles > SAML login history for recent login attempts and resulting errors (if any).
For additional information on resolving possible error messages, please refer to the article on SAML Login History Error Messages.
For more information on Dashboard permissions and administrator types, refer to the article on managing administrative users.