Home > General Administration > Managing Dashboard Access > Configuring SAML SSO with ADFS

Configuring SAML SSO with ADFS

This article provides an example walk-through of configuring Active Directory Federation Services as an identity provider (IdP) for the Cisco Meraki Dashboard. It is recommended that administrators read the article on SAML integration for Dashboard before proceeding. It is assumed that Active Directory and Federation Services are already installed and basic configuration is complete. For additional information on configuring AD FS, refer to Microsoft's deployment guide

The steps in this article only cover an example of creating the necessary integration with Dashboard. Exact implementation may differ based on environment and Active Directory implementation. However, the username and role attributes described below must be provided in the SAML assertion/token.

 

Create Relying Party Trust

 

  1. Open the AD FS management console.
    1. Start > Administrative Tools > AD FS 2.0 Management.
  2. Click on the top level folder (AD FS 2.0) and click Add Relying Party Trust from the Actions menu.
  3. Click Start to begin configuring a relying party trust for Dashboard.
  4. Choose to Enter data about the relying party manually. Then click Next.
  5. Enter a Display name, which will displayed in the management console and to users connecting to Dashboard. Then click Next.
    Note: In this example, "Meraki Dashboard" has been used.
  6. Choose AD FS 2.0 profile. Then click Next.
  7. Skip the Configure Certificate step by clicking Next.
  8. Check the box to Enable support for the SAML 2.0 WebSSO protocol.
    1. In the text field, enter the Consumer URL from Dashboard under Organization > Settings > SAML Configuration.
    2. Click Next.
  9. For the Relying party trust identifier enter "https://dashboard.meraki.com". Then click Add and Next.
    Note: The value of this field is required by AD FS, but is not used.

  10. Choose default issuance authorization rules based on preferred security behavior. For this example, choose Permit all users to access this relying party. Then click Next.
    Note: If choosing to deny users by default, explicit authorization rules would need to be added later. These steps are not covered in this article.
  11. Ensure the box to Open the Edit Claim Rules dialog... is checked. Then click Close.

Configure Username Attribute

  1. In the Edit Claim Rules dialog, under the Issuance Transform Rules tab, click Add Rule.
  2. For Claim rule template, choose to Send LDAP Attributes as Claims. Then click Next.
  3. Configure a SAML attribute for usernames.
    1. Set the Claim rule name as "Username".
    2. Set the Attribute store as Active Directory.
    3. Select the LDAP Attribute that will be sent to Dashboard as the username. As this will appear in multiple locations and should be unique to each user, selecting E-Mail-Addresses or another unique characteristic is strongly recommended.
    4. Set the Outgoing Claim Type to "https://dashboard.meraki.com/saml/attributes/username".
    5. Click Finish.

Configure Role Attribute

  1. In the Edit Claim Rules dialog, under the Issuance Transform Rules tab, click Add Rule.
  2. For Claim rule template, choose to Send Group Membership as a Claim.
  3. Configure a SAML attribute for roles.
    1. Set the Claim rule name to "Role".
    2. Click Browse to select a group that should receive this role.
    3. Set the Outgoing claim type to "https://dashboard.meraki.com/saml/attributes/role".
    4. In Outgoing claim value enter the value for a Role created in Dashboard under the Organization > Administrators > SAML administrator roles.
      Note: The role value in the attribute must match a role in Dashboard for the user to gain access.
    5. Click Finish.

Configure Dashboard Settings

  1. In the management console, navigate to AS FS 2.0 > Service > Certificates.
  2. Double-click on the certificate under Token-signing.
  3. Under Details > Thumbprint, copy this string paste into the X.509 cert SHA1 fingerprint field in Dashboard under Organization > Settings > SAML Configuration. Replace any spaces with colons.

  4. (Optional) To redirect users back to the AD FS login page after logging out of Dashboard, follow these steps.
    1. In Dashboard, navigate to Organization > Settings > SAML Configuration.
    2. In the SLO logout URL, enter "https://<SERVER_URL>/adfs/ls/idpinitiatedsignon.aspx".
      Replace "<SERVER_URL>" with the IP address or DNS name of the of the AD FS server.
    3. Click Save Changes.

At this point, users authenticating with AD FS will be able to select "Meraki Dashboard" as a site to sign into. 

If users are not able to successfully connect to Dashboard and receive an error, ensure that:

 

  • Claim rules have been created for the username and role attributes as described above.
  • The desired SAML administrator role has been created in Dashboard.
  • The user is allowed to use the application, based on any authorization rules configured in AD FS.

 

If encountering issues, refer to Organization > Administrators > SAML administrator roles > SAML login history for recent login attempts and resulting errors (if any).

 

For more information on Dashboard permissions and administrator types, refer to the article on managing administrative users.

You must to post a comment.
Last modified
12:01, 19 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1573

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case