Meraki SAML Authentication - Home | MCNC · Objectives ! What is SAML? ! Benefits of SAML authentication ! Enabling SSO for WiFi logins ! Enabling SAML for Meraki Dashboard Authentication

Meraki SAML Authentication

Objectives

n  What is SAML?

n  Benefits of SAML authentication

n  Enabling SSO for WiFi logins

n  Enabling SAML for Meraki Dashboard Authentication

What is SAML Authentication?

n  Security Assertion Mark-up Language

n  “SAML defines a common XML framework for exchanging security assertions between entities” (oasis-open.org)

n  Three roles: User, Identity Provider (IdP), Service Provider (SP) 1.  User requests access to a service from the SP 2.  SP requests verification of identity from the IdP 3.  IdP will request authentication information (username and password,

token, multi-factor, etc) from the user, if it has not already been provided 4.  Once the IdP has provided positive verification to the SP, the user is

allowed access to the service.

What is SAML Authentication?

User SP IdP 1. User requests access to a service

2. SP requests authentication and authorization from trusted IdP

4. IdP authenticates user and passes user authorization (Roles) to SP

5. SP allows access to the User at the authorization level provided from the IdP

3. User provides authentication information to IdP, if not already authenticated

Benefits of using SAML Authentication

n  Don’t have to remember multiple usernames and passwords

n  Usage of “Roles” can make it easy to modify permissions, or duplicate a set of permissions for new users.

n  Original authentication credentials only travel to IdP, versus sending credentials to every service you want to log in to, so less points of failure for credentials to be stolen (PKI is used between IdP and service providers) •  What is PKI?

Public Key Infrastructure (PKI)

n  PKI “consists of software and hardware elements that a trusted third party can use to establish the integrity and ownership of a public key.” – msdn.Microsoft.com

n  Basically, PKI allows two entities to exchange encrypted information, and provides another level of trust that the information has not been tampered with and that the originating entity is who they say they are.

Implementing WiFi SSO

Implementing Single Sign-On capabilities for students and staff to log-in to specified SSIDs on Meraki WiFi networks using Google credentials.


In the Meraki dashboard, select the appropriate wireless network you wish to add SSO functionality to. Then go to “Wireless” à “SSIDs”

Select “edit settings” for the SSID you want to modify


In the “Splash page” section, choose the “Sign-on with” option and then select “3rd party credentials” from the drop-down. Click in the “Accepted credentials” box and choose Google from the choices (Google is the only choice at the time of writing of this document). Then, in the “Allowed domains” box, type your Google domain to be allowed. Only one domain per SSID is currently supported. This will allow anyone with an e-mail address on that domain access to that SSID, whether they are a student or teacher.


Also in this same screen, if you scroll down, you can choose to allow only one device to be logged in per username at a time.


Save the changes. Users will now be presented with a Google login splash screen upon connecting to the SSID. You can customize the splash page by going to “Wireless” à “Splash page” in the Meraki dashboard and modifying the settings found there.

Implementing SAML in Meraki

Implementing SAML capability with the Meraki Dashboard for administrators to utilize Google authentication to log-in to the Meraki administrator dashboard.


First, we want to setup our user accounts to be able to utilize SSO. So in the Google Admin console, select “Users”.


In the top right is a series of four options. If you scroll over the first one, it should say “Manage user attributes”. Select this one.


Select “Add custom category” at the bottom of the window.


Select a category name and, optionally, a description for this attribute. Then choose a name for the attribute itself. Leave the rest of the values as is and select “add”. We’ll add this attribute to specific users later in the process.


Now we need to get the certificate fingerprint. So expand the main menu pane and select “Security”


Expand the “Set up single sign-on (SSO)” tab


Under the “Setup SSO with Google identity provider” heading, under “Option 1”, click the button to download the certificate.


Next, we need to find the fingerprint of the certificate we just downloaded. This can be done either by importing it into your browser and then viewing the certificate, or by using a SHA1 calculator to find the fingerprint. One such tool can be found here, https://www.samltool.com/fingerprint.php. Simply open the certificate in notepad and copy and paste the text into the X.509 box on the website. Ensure SHA1 is chosen for the algorithm and select “Calculate Fingerprint”. Note the resulting fingerprint for later use.


Now go into your Meraki dashboard and go to “Organization” à “Settings”


Scroll down to the “SAML Configuration” heading and change the dropdown box to “SAML SSO enabled”.

Enter the SHA1 fingerprint we found earlier into the corresponding text box and then save the changes. After saving, the “Consumer URL” will have a value. Note this value for later use.


Go back to the Google Admin Console and choose “Apps”, and then “SAML apps”


On the bottom right of the screen, select the circle with a plus to add an app. In the window that pops up, select “Setup my own custom app”


The next screen has the same idP info we’ve already looked at, so click next.

Name the App however you like and choose a description and logo for it and click “Next” (Description and Logo are optional)


The ACS URL will be the Consumer URL we copied from Meraki earlier. Enter https://dashboard.meraki.com for the “Entity ID” and click “Next”


Select “Add new mapping”. Enter “Role” for the Application attribute, and then select the appropriate category and field that you created earlier. Then select “Finish”


Ensure the new app is turned on, either for everyone or for certain organizations, however you prefer. Google warns that changing this setting could take up to 24 hours to propagate to all users. So if it doesn’t work immediately, that may be why.


Now we need to create the authorized SAML roles in Meraki, so go to the Meraki dashboard and go to “Organization” à “Administrators”


There should now be a section labeled “SAML administrator roles”. On the far right of this, select “Add SAML role”


Name the role however you like, and take note of it, as you will use it when adding attributes to Google users. Set the appropriate Organization access level and any other privileges they require.

Detailed information regarding managing dashboard permissions can be found here: https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Managing_Dashboard_Administrators_and_Permissions


Continue to create whatever roles and privilege levels you require, noting the role names you give to each. Go back to your Google Admin console, and go to “Users”. Click the name of the first user you’d like to give Meraki Dashboard access to.


Expand the “Account” option


Select “Edit” under the “Manage user attributes” label. This will cycle through all attributes available to the user. Click “Next” until you come to the Meraki attribute you created earlier. Fill in the value with the name of the SAML role you created in the Meraki Dashboard and then click “Update User”

Continue selecting other users and adding the appropriate attributes for each one you wish to give Meraki Dashboard access.


Users should now be able to select the SAML App you created from their Google Apps and be signed into the Meraki Dashboard.

Documents

Meraki SAML Authentication - Home | MCNC · Objectives ! What is SAML? ! Benefits of SAML authentication ! Enabling SSO for WiFi logins ! Enabling SAML for Meraki Dashboard Authentication