How-To : Setup Enterprise Application (SAML)

This guide will focus on a Meraki setup for SSO with Entra, so first we need to navigate to the Enterprise Application option:

Note : You will need to have access to the Meraki Dashboard and be an administrator to set this up and make changes.


Then we need the new application option


When you click for a new application and enter "Meraki" you will notice there is an application there already there so you need need to choose the "Create" option as below:


When you do you need to give it a name, the moment you type in the name the galley version will popup again as below:


Click on the "Meraki Dashboard" name and then choose Create:


This will then get to work creating your application:



When this application has been created your browser will automatically navigate to that application as below, we need to head for the "Single Sign-on" option as below:


We now need to choose the SAML option:

This will then require us to fill in Step 1 - which is the SAML configuration you will notice that the Entity ID and ACS URL are required for this to work, and these values need to be obtained from the Meraki Dashboard before we can move on:


We now need to visit the Meraki Dashboard which can usually be found on this URL here

When you are logged in, you then need to navigate to Organization > Settings as below:



When this page loads, scroll down and look for the SAML SSO section as below, notice this is disabled:


You need to update this option to enabled:

This will then give you some more details which are required for SAML configuration as you can see below:

We need the subdomain and the Consumer (ACS) URL:

Subdomain : bears
Consumer (ACS URL) : https://n644.meraki.com/saml/login/NotReal/ThisisAllFake



Now we have these details we need to go back to the Enterprise application click the edit button on SAML configuration:


Paste in the details from the Meraki website and then click save:


This will then confirm those details in the Basic SAML configuration as below:


Next up is Attributes and Claims, we have no additional requirements for this to work so we can move onto step 3:


This is the SAML Certificate and from this section we need the thumbprint from here, this will need to be used on the Meraki website right now:


The thumbprint we have is : B4853231698139ECC3A3204E82A3FDA80D55E3CE this will need to be separated by semi-colons (:) after each 2nd character to make this work with Meraki.

You will also note that we have another two boxes we need to complete as well, so before we save we also need a login URL and a logout URL, well step 4 on the Enterprise Application will give us all that information as you can see here:



We then need the Login and Logout URL from this section pasted into the Meraki Dashboard which should look like this:


Now we have all those magical URLs and thumbprints we can now save that configuration to the Meraki Dashboard, we are getting nearer to SSO world.

Housekeeping tasks on SAML Enterprise Application

We now need to complete some housekeeping on the SAML application, first lets go back the SAML certificate and click edit:


We then need to set a valid e-mail address that will get a notification when the certificate expires as below:


Then from the application, no SAML this time, find the Owners option, this is "not set" by default so add the owner for this configuration document with the "Add" button:


Lets choose the CBO (Chief Bear Officer)


This will then confirm that indeed the CBO is indeed to the Owner:


We now need the Properties option and from here we need the "Assignment Required" and this needs to be set to "Yes" as below:

That concludes the housekeeping for this application.

Assigning Meraki Groups to SAML Roles

We now need to choose the option called "Users and Groups" we then need two groups created here I have used:

Meraki Read Admin
Meraki Write Admin

Users will be added to these groups and not directly into this application, these groups can be cloud or local domain groups, but they need to be synced to Entra to work with SAML.


Next we need to find the application in App Registrations and choose App Roles as below ignore the default access and click Create App Role:


Then we need to create an App Role for those groups, so first the read only admin:

Note : Ensure the value is meraki_read this will be used in the Meraki Dashboard later

Then we need to do the same for the writable admin which is the "full admin" user groups as below:

Note : Ensure the value is meraki_write this will be used in the Meraki Dashboard later



This should then look like this in App Roles:


When you have your groups and App Roles created, back the Meraki Dashboard we go, and now we need Organization>Administrators as below:



Then from the SAML tab we will need to add the groups name with the relevant scope for that groups name


When this is setup and your users are in the relevant groups that will resolved to the SAML group for access then you need to get the login URL.

How do users login to this Meraki Dashboard?

Simple, from the Enterprise application, choose Manage>Properties and then the "User Access" URL is what they require to login using single sign-on:


Alternatively if you have made it visible to users then can access it from the MyApps website, look for the Meraki Logo, one click and they are in.

Advice : Break glass Account Required (for Emergency's)

I would recommend setting up a break glass account with "Full Admin" just incase federation is not there and you need to access your Meraki Dashboard, this can be done in the Admins section of the portal.


Previous Post Next Post

نموذج الاتصال