Blog Home
Attend a Webinar

Thank you for subscribing.

Setup Trail

Setup Trail

Configuring Single Sign On (SSO)

SAML (Security Assertion Markup Language) can be used with the Cisco Meraki Dashboard to provide external authentication of users and a means of SSO (Single Sign-On). This module will provide an overview of how SAML works with Dashboard, configuration instructions in Dashboard, and information required to configure SAML with external platforms.

SAML Overview

When using SAML, there are three key elements:

  • User – The client that is attempting to log-in to a service provider (Dashboard).
  • Identity Provider (IdP) – The authority on a user’s identity. It know’s the user’s username, password, and any groups/attributes. Typically a portal where the user logs in.
  • Service Provider (SP) – The application the user wishes to use. In this case, Dashboard.

When using SAML with Dashboard, the user must first authenticate with the IdP. This is referred to as IdP-initiated SAML. After the user has successfully authenticated and been directed to Dashboard, they will be granted access if they have a valid role and the IdP is correctly configured.

Note: Only IdP-initiated SAML is supported at this time.

9804f58c-e175-4234-ba25-e68b171846a4

 

Dashboard Configuration

There are two steps necessary to set up SAML SSO in Dashboard:

  • Enable SAML SSO for each Organization
  • Create SAML Roles in Dashboard for each Organization

Enable SAML SSO for the Organization

  1. On the Organization > Settings  page, navigate to the SAML Configuration  section.
    Note: If this section does not appear, open a case with Cisco Meraki support to have it enabled.
  2. Change SAML SSO to “SAML SSO enabled”.
  3. Provide the X.509 cert SHA1 fingerprint, which will be 20 pairs of hex characters separated by colons (:). This will come from the X.509 certificate on the IdP.
    • If opening the .crt file in Windows, go to Details > Thumbprint to view the fingerprint. Simply copy this and replace the spaces with colons.
    • Windows:
      3805feff-e2e1-4fdc-b2ca-251c0a513c88
    • Dashboard:
  4. (Optional) Provide a SLO logout URL. This is where users will be directed when they logout of Dashboard.
    • Generally, this is a URL on the IdP that logs the users out of the IdP and other services.
    • This can also simply direct users to a homepage or other portal after logging out of Dashboard
  5. Click Save changes.

Create SAML Roles in Dashboard

The Organization > Administrators page will now have a SAML administrator roles section. This section is used to assign permissions to user groups in Dashboard. When SAML users log-in, they will be granted whatever permissions have been assigned to the ‘role’ attribute included in the SAML token provided by the IdP.

 

To create a new role, click Add SAML role. Assignment of permission to these roles is identical to that of normal users. The article on managing administrators can be followed for assigning permissions to roles. Once complete, click Create admin and then Save changes.

 

Configuring the Identity Provider

IdP configuration instructions will vary depending on the vendor, please refer to your IdP vendor-specific documentation for details.
The following articles outline configuration instructions for two common IdPs:

Meraki Documentation

Leave a Reply

You must be logged in to post a comment.