SAML (Security Assertion Markup Language) can be used with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On). This article will provide an overview of how SAML works with Dashboard, configuration instructions in Dashboard, and information required to configure SAML with external platforms.
Note: SAML integration is currently in Beta and actively being developed. As such, fields or information referenced in this article may change over time.
When using SAML, there are three key elements:
When using SAML with Dashboard, the user must first authenticate with the IdP. This is referred to as IdP-initiated SAML. After the user has successfully authenticated and been directed to Dashboard, they will be granted access if they have a valid role and the IdP is correctly configured.
Note: Only IdP-initiated SAML is supported at this time.
There are two steps necessary to set up SAML SSO in Dashboard:
The Organization > Administrators page will now have a SAML administrator roles section. This section is used to assign permissions to user groups in Dashboard. When SAML users log-in, they will be granted whatever permissions have been assigned to the 'role' attribute included in the SAML token provided by the IdP.
To create a new role, click Add SAML role. Assignment of permission to these roles is identical to that of normal users. The article on managing administrators can be followed for assigning permissions to roles. Once complete, click Create admin and then Save changes.
IdP configuration instructions will vary depending on the vendor, please refer to your IdP vendor-specific documentation for details.
The following articles outline configuration instructions for two common IdPs:
Certain attributes are required by most IdPs. The following list outlines these attributes, and where to find that information in Dashboard:
The following additional notes apply to IdP compatibility and features:
SAML does support the use of multiple organizations. Similarly to traditional logins, it needs to determine that the user is identical across the affected organizations. Thus, for this to occur, the following must be identical across the designed organizations:
When this occurs, the user will be directed to the MSP portal and receive the desired permissions in each organization. The Consumer URL for any of the MSP organizations can be used, as they will all direct the user to the MSP portal.
Note: When modifying which organizations SAML users will have access to, it may be necessary to logout of both the IdP and Dashboard, as well as completely closing the browser.
If errors are presented when attempting to log in with SAML SSO, log in as a traditional administrator and review the SAML login history. This is located on the Organization > Administrators page, directly under the SAML administrator roles title. This includes a history of attempted SAML logins, any errors encountered, and what username/role was provided in the assertion.
In the example below, one user attempted to login without first going through the identity provider, while the second was authenticated correctly with a role and username:
For additional information on resolving possible error messages, please refer to the article on SAML Login History Error Messages.
Administrators with a SAML role can be configured to have full or limited access of the organization, as outlined in our Managing Dashboard Administrators documentation. Please note that Cisco Meraki Support may need to verify a SAML administrator's support passcode, as is done with traditional administrators.
If an administrator with a SAML role is configured to have full control over the organization, they will be able to adjust and delete other administrators on the account. There must be at least one non-SAML Dashboard org admin remaining on the account, so a SAML admin will not be able to delete or demote the last remaining Dashboard org admin.