Home > General Administration > Managing Dashboard Access > Configuring SAML Single Sign-on for Dashboard

Configuring SAML Single Sign-on for Dashboard

SAML (Security Assertion Markup Language) can be used with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On). This article will provide an overview of how SAML works with Dashboard, configuration instructions in Dashboard, and information required to configure SAML with external platforms.  

Note: SAML integration is currently in Beta and actively being developed. As such, fields or information referenced in this article may change over time.

SAML Overview

When using SAML, there are three key elements:

  • User - The client that is attempting to log-in to a service provider (Dashboard).
  • Identity Provider (IdP) - The authority on a user's identity. It know's the user's username, password, and any groups/attributes. Typically a portal where the user logs in.
  • Service Provider (SP) - The application the user wishes to use. In this case, Dashboard.

When using SAML with Dashboard, the user must first authenticate with the IdP. This is referred to as IdP-initiated SAML. After the user has successfully authenticated and been directed to Dashboard, they will be granted access if they have a valid role and the IdP is correctly configured. 

Note: Only IdP-initiated SAML is supported at this time.

 

Dashboard Configuration

There are two steps necessary to set up SAML SSO in Dashboard:

  • Enable SAML SSO for the Organization
  • Create SAML Roles in Dashboard

Enable SAML SSO for the Organization

  1. On the Organization > Settings  page, navigate to the SAML Configuration  section.
    Note: If this section does not appear, open a case with Cisco Meraki support to have it enabled.
  2. Change SAML SSO to "SAML SSO enabled".

     
  3. Provide the X.509 cert SHA1 fingerprint, which will be 20 pairs of hex characters separated by colons (:). This will come from the X.509 certificate on the IdP.
    1. If opening the .crt file in Windows, go to Details > Thumbprint to view the fingerprint. Simply copy this and replace the spaces with colons.
      Windows:


      Dashboard:

       
  4. (Optional) Provide a SLO logout URL. This is where users will be directed when they logout of Dashboard.
    • Generally, this is a URL on the IdP that logs the users out of the IdP and other services.
    • This can also simply direct users to a homepage or other portal after logging out of Dashboard.
  5. Click Save changes.

Create SAML Roles in Dashboard

The Organization > Administrators page will now have a SAML administrator roles section. This section is used to assign permissions to user groups in Dashboard. When SAML users log-in, they will be granted whatever permissions have been assigned to the 'role' attribute included in the SAML token provided by the IdP.

 

To create a new role, click Add SAML role. Assignment of permission to these roles is identical to that of normal users. The article on managing administrators can be followed for assigning permissions to roles. Once complete, click Create admin and then Save changes.

Configuring the Identity Provider

IdP configuration instructions will vary depending on the vendor, please refer to your IdP vendor-specific documentation for details.
The following articles outline configuration instructions for two common IdPs:

IdP Attribute Information

Certain attributes are required by most IdPs. The following list outlines these attributes, and where to find that information in Dashboard:

  • Entity ID
    For Dashboard SSO, this is https://dashboard.meraki.com
  • Assertion Consumer Service (ACS) URL
    This is provided as the Consumer URL on the Organization > Settings page under SAML Configuration. It will be unique for each organization.
  • Username attribute
    A username attribute must be passed in the SAML token/assertion, specifically 'https://dashboard.meraki.com/saml/attributes/username'. This includes the name the user will be identified as in Dashboard. Mapping this to an e-mail address is strongly recommended.
    Note: This attribute cannot match an existing Dashboard administrator's email address.
  • Role attribute
    A role attribute must be passed in the SAML token/assertion, specifically 'https://dashboard.meraki.com/saml/attributes/role'. This must match one of the Roles defined on the Organization > Administrators page.

Additional IdP Information

The following additional notes apply to IdP compatibility and features:

  • Limited Single Logout (SLO) is available. Dashboard will use the SLO URL to redirect users after they logout of Dashboard, and then can be used to link into SLO with the IdP if supported, but Dashboard does not support receiving SAML LogoutRequests from the IdP.
  • Only SAML 2.0 is supported.
  • Dashboard only supports IdP-Init. Users must first authenticate with the IdP and then be passed to Dashboard with a valid token.
  • While IdP platforms may have a variety of other fields, in most cases they can be left blank or at default settings. Only the above information is critical for Dashboard compatibility.

SAML SSO for MSPs

SAML does support the use of multiple organizations. Similarly to traditional logins, it needs to determine that the user is identical across the affected organizations. Thus, for this to occur, the following must be identical across the designed organizations:

  • X.509 cert fingerprint for the organization
  • SAML administrator role (as only one role attribute can be used in the token)
    • The permissions granted can be different in each Organization, but the role name must be identical

When this occurs, the user will be directed to the MSP portal and receive the desired permissions in each organization. The Consumer URL for any of the MSP organizations can be used, as they will all direct the user to the MSP portal.

Note: When modifying which organizations SAML users will have access to, it may be necessary to logout of both the IdP and Dashboard, as well as completely closing the browser. 

Troubleshooting

If errors are presented when attempting to log in with SAML SSO, log in as a traditional administrator and review the SAML login history. This is located on the Organization > Administrators page, directly under the SAML administrator roles title. This includes a history of attempted SAML logins, any errors encountered, and what username/role was provided in the assertion. 

In the example below, one user attempted to login without first going through the identity provider, while the second was authenticated correctly with a role and username:

 

For additional information on resolving possible error messages, please refer to the article on SAML Login History Error Messages.

Contacting Support with SAML SSO

Administrators with a SAML role can be configured to have full or limited access of the organization, as outlined in our Managing Dashboard Administrators documentation. Please note that Cisco Meraki Support may need to verify a SAML administrator's support passcode, as is done with traditional administrators.

If an administrator with a SAML role is configured to have full control over the organization, they will be able to adjust and delete other administrators on the account. There must be at least one non-SAML Dashboard org admin remaining on the account, so a SAML admin will not be able to delete or demote the last remaining Dashboard org admin.

You must to post a comment.
Last modified
15:16, 22 Dec 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1577

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case