
SAML Roles – Building the Dashboard
To more easily manage administrative access to the Dashboard, Meraki has also implemented both IdP-Initiated and SP-Initiated SAML 2.0 support for Dashboard administrators. This allows for simple and easy management of administrative permissions for large numbers of Dashboard users by leveraging an existing identity provider (IdP) such as ADFS, OneLogin, or Azure AD to quickly scope permissions across an entire organization’s worth of administrators through the use of SAML roles in the Dashboard.
To enable SAML for an organization, navigate to the Organization > Settings page and enter the SHA1 fingerprint of the X.509 certificate from the identity provider. Next, to configure SAML administrator roles, go to the Organization > Administrators page and configure them in the SAML Administrator Roles section. SAML administrator roles have the same available permissions options and operate in very much the same way as a standard Dashboard Administrator account, but they rely on the “role” attribute, included in the SAML assertion sent during logon, to match a defined SAML administrative role in the Dashboard, which determines the permissions assigned to the newly logged-in SAML administrator. This allows different SAML administrators to be automatically assigned different permissions based on the SAML role matched during SSO logon. These SAML roles can be created and defined on a custom, per-organization basis and do not require matching any sort of predefined roles in the Dashboard.
In addition to defining the roles on the Organization > Administrators page, you can create special Camera-only roles for use with SAML authentication to allow for the same granular functionality as the network-level Camera-only admins discussed previously. To configure these special Camera-only roles, navigate to the Organization > Camera Roles page and configure them similarly to both the SAML administrator roles and the network-level Camera-only administrator permissions.
After you define the role name, which is matched against during the logon process, you can define network access for users with this role to either all networks containing cameras or select groups of networks based on applied network tags. Camera roles share the same three permission levels as the non-SAML camera admins and can also have access to either all cameras in each network or restricted access to select groups of cameras within the allowed networks based on device tags. This allows for equal parity of administration capabilities between SAML and non-SAML administrator accounts on the Dashboard to ensure an appropriate level of access control regardless of account type.
SAML integrations like this significantly speed up the process (and reduce the effort) to create new organizations and scope administrative access for large companies, allowing for faster deployments and a greater focus on network and device configuration instead of copying and re-creating existing administrator accounts and permissions for a new deployment.
Pro Tip
SAML can be configured to provide access across multiple organizations for a single account by using matching X.509 fingerprints and identical “role” attributes across organizations.
Similar to SAML administrator integration, Meraki also offers integration with Cisco XDR (Formerly known as SecureX) Sign-On for authentication on the Dashboard. Similar to other SAML solutions, this allows a user to authenticate with the Dashboard directly through the XDR Sign-On page. However, unlike traditional SAML administrator accounts, XDR accounts do not use SAML roles to define administrator privileges. Instead, XDR administrator accounts are created like a regular Dashboard Administrator account, except that after enabling XDR integration from the Organization > Settings page, a new toggle option is shown when creating the new administrator account that allows the authentication method to be specified as either Email or Cisco XDR Sign-On.
This feature allows for any existing Cisco Security customers to easily integrate the Meraki Dashboard with their existing Cisco Security authentication process and add access to the Meraki Dashboard directly to an existing Cisco Security deployment, thereby making it easier to conduct forensic analysis or enrich threat intelligence data with the Meraki platform too.