uyk4k (uyk4k) asked a question.
The Meraki Dashboards SAML integration is extremely limited and only allows for one "SAML administrator role" when users log in. This means that there is no way to differentiate what role a user logs in as, so essentially all users get assigned to the same role. This is not ideal and defeats the point of using the Okta Integration due to not being able to allow different access to Meraki. In the Meraki settings you can create multiple roles, such as Admin, limited admin, view only. There needs to be an ability to set a user to a specific role so that all users assigned to the Meraki SAML app have the correct access.
Reached out to Okta support and this is what I was told
"I just verified internally. And at the moment, the Meraki integration only supports one role for one app. The only workaround to this would be to create one app within Okta for each role, yet, for this to work, since the Cisco Meraki Dashboard SAML application does not support adding different IDPs with the same certificate fingerprint value, you will need to generate a different certificate for each new application instance. You will have to follow the steps from the doc you've been doing i.e. https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-Meraki-Dashboard.html
After looking further into this I was able to find that such a feature is already requested on our community page:
https://support.okta.com/help/ideas/viewIdea.apexp?id=087F0000000M1hb"
The feature request has been on awaiting feedback for close to 6 months now with no updates.
I also found this support thread on Okta's forums, https://support.okta.com/help/s/question/0D50Z00008G7Uhe/how-to-add-multiple-saml-administrator-role-roles-in-cisco-meraki-application
A Senior Technical Engineer from Okta replied to the above thread saying
"Only one SAML administrator role can be sent through the OIN app as it's currently configured. I actually brought this up to Meraki support just last week and I believe it has been relayed to their apps team for review."
Does anyone have any insight on when this will be implemented? Is it a limitation with the Okta app or is it a limitation on Meraki's SSO/SAML implementation? This information seems conflicting.
Hi Nathanael,
Don't use Okta's pre-canned Meraki app, you are right -- limited to a single role, and that's useless if you have different levels of permissions and privileges that you need to provide. You can accomplish what you want by creating a custom SAML application within Okta (follow Meraki's SAML guide), and then make sure you send Group Attribute Statements. You can pass groups within the assertion to then match up to the names of the SAML administrator roles within Meraki.
At the time of writing this, Your attribute statement should look like this:
Your Group Attribute statement should look like this:
I then create groups within Okta that start with "Meraki_" -- but you could do this however you want, and then use the group attribute statement filter for "starts with...". Make sure you make your SAML administrator roles named the same as your Okta groups. Then just assign all your Meraki groups to the new custom meraki app in Okta and away you go. I do this and currently have quite a few different roles, but only one chiclet for all levels of admins. It works great.