A detailed walkthrough and collection of best practices for setting up as a Meraki Managed Service Provider
- Getting Started
- Introduction to Meraki Dashboard
- Determining Organizational Structure
- Creating a Meraki Dashboard Account
- Activating the MSP Portal
- Configuring Organization Administrators
- Creating a New Customer Organization
- Configuring Single Sign On (SSO)
- Branding and Customization
- Ordering & Title Guidelines
- Infrastructure Financing Options
Using the MSP Portal
A description of next-generation services that are readily available with the Meraki platform
Configuring Single Sign On (SSO)
SAML (Security Assertion Markup Language) can be used with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On). This module will provide an overview of how SAML works with Dashboard, configuration instructions in Dashboard, and information required to configure SAML with external platforms.
When using SAML, there are three key elements:
- User – The client that is attempting to log-in to a service provider (Dashboard).
- Identity Provider (IdP) – The authority on a user’s identity. It know’s the user’s username, password, and any groups/attributes. Typically a portal where the user logs in.
- Service Provider (SP) – The application the user wishes to use. In this case, Dashboard.
When using SAML with Dashboard, the user must first authenticate with the IdP. This is referred to as IdP-initiated SAML. After the user has successfully authenticated and been directed to Dashboard, they will be granted access if they have a valid role and the IdP is correctly configured.
Note: Only IdP-initiated SAML is supported at this time.
There are two steps necessary to set up SAML SSO in Dashboard:
- Enable SAML SSO for each Organization
- Create SAML Roles in Dashboard for each Organization
Enable SAML SSO for the Organization
- On the Organization > Settings page, navigate to the SAML Configuration section.
Note: If this section does not appear, open a case with Cisco Meraki support to have it enabled.
- Change SAML SSO to “SAML SSO enabled”.
- Provide the X.509 cert SHA1 fingerprint, which will be 20 pairs of hex characters separated by colons (:). This will come from the X.509 certificate on the IdP.
- If opening the .crt file in Windows, go to Details > Thumbprint to view the fingerprint. Simply copy this and replace the spaces with colons.
- (Optional) Provide a SLO logout URL. This is where users will be directed when they logout of Dashboard.
- Generally, this is a URL on the IdP that logs the users out of the IdP and other services.
- This can also simply direct users to a homepage or other portal after logging out of Dashboard
- Click Save changes.
Create SAML Roles in Dashboard
The Organization > Administrators page will now have a SAML administrator roles section. This section is used to assign permissions to user groups in Dashboard. When SAML users log-in, they will be granted whatever permissions have been assigned to the ‘role’ attribute included in the SAML token provided by the IdP.
To create a new role, click Add SAML role. Assignment of permission to these roles is identical to that of normal users. The article on managing administrators can be followed for assigning permissions to roles. Once complete, click Create admin and then Save changes.
Configuring the Identity Provider
IdP configuration instructions will vary depending on the vendor, please refer to your IdP vendor-specific documentation for details.
The following articles outline configuration instructions for two common IdPs:
Leave a Reply
You must be logged in to post a comment.