In my previous article here, we took a look at how to configure Duo for hosted SSO. This article will focus on how we can protect the Cisco Meraki dashboard with Duo using the hosted Duo Single Sign-On (SSO). As always, the Duo documentation is great and so I would urge you to also check out their documentation Duo SSO for Meraki Dashboard here.
The great thing about this is that you can add 2FA using Duo’s hosted SAML 2.0 Identity Provider (IdP), complete with the ability to allow for self-enrollment and the Duo Prompt. More information can be found on the documentation above.
Before proceeding with the following steps, ensure that you have configured Duo SSO to work with your authentication source.
Enable the Meraki Application in Duo
Access the Duo admin panel, navigate to Applications > Protect an Application and search for ‘Meraki’. Select the Meraki application which is SSO hosted by Duo and click ‘Protect’.
You will be asked whether you want to activate the new Universal prompt. If you’re unsure what this is and how it’s different to what is currently in place, click the link associated with ‘Universal Prompt’ for more information. In this demonstration, we will make use of the Universal prompt.
Configure Meraki for SSO
- Access the Meraki Dashboard, navigate to Organization > Configure > Settings and scroll to ‘Authentication’.
- SAML SSO is disabled by default, change this setting to ‘SAML SSO Enabled’.
- Two new sections appear; one field is where you will enter the X.509 cert SHA1 fingerprint from the Duo – Meraki application and the other is an optional field where you will enter the SLO logout URL also from the admin panel. Enter those details before clicking ‘Save’. Once you’ve saved the configuration changes, copy the Consumer URL from the Meraki dashboard to the Duo admin panel.
Create Roles in Meraki for SAML
- Navigate to Organization > Configure > Administrators and click ‘Add SAML role’. Here you will create a new role and assign the relevant access to the configured organisation. Configure your new role/s as appropriate to your environment and click ‘Create role’.
- Once happy, click ‘Save changes’.
Complete and Verify Configuration & Duo Integration with Meraki
- Return to the Duo admin panel where the application configuration section should still be open and complete the following:
- Role attributes: Map the Meraki roles to the Duo groups. User groups may need to be configured manually if there is no AD sync configured
- Create a new application policy within the ‘Application policy’
- Give the Application a meaningful name
- Decide whether you would like a self-service portal available to user
- Once you’ve completed the configuration steps, save the configuration. It’s now time to verify everything works!
- As we’ve not configured Duo central as part of this demonstration, we will login using the IdP-initiated Login URL for the Meraki application. You will find this under the ‘Metadata’ section within the Meraki application in the Duo admin panel.
- Click that link and the Duo prompt should appear. Enter your AD username’s email address and press ‘Next’. If your account already has a device enrolled, you won’t be required to go through the enrollement process. You can simply enter your password and you should be logged in provided that the configuraiton is correct.
Lastly, you can also check the SAML login history on the Meraki Dashboard. To do so, navigate to Organization > Configure > Administrators and click ‘SAML login history’.