View Categories

Self-Provisioning with SAML Single Sign-On (SSO)

Overview #

The BYOD SAML Authentication Module enables seamless and secure user authentication via a captive portal integrated with a SAML identity provider (IdP). Users can sign in using their existing Microsoft 365/Azure AD, Google Workspace, Okta, or other SAML-based credentials, eliminating the need for separate WiFi passwords. This is an ideal solution for BYOD environments, allowing organizations to streamline user authentication while maintaining security and access control.

1. User Login Process #
  1. The user selects the Guest WiFi network.
  2. They are redirected to the Captive Portal, where they choose the SAML Authentication option.
  3. Before proceeding, the user must accept the Terms and Conditions and acknowledge the Privacy Policy.
  4. The user is redirected to their organizationโ€™s SAML Identity Provider (IdP) (e.g., Microsoft 365, Google Workspace, Okta) to complete authentication.
  5. The authentication process is handled entirely by the IdP, and no user credentials are proxied or stored within the captive portal solution.
  6. Upon successful authentication, the SAML response signals to the captive portal that the login was successful.
  7. The user is granted network access and redirected to a predefined URL, such as an intranet or corporate portal.
#
2. Configuration & Customization #

Administrators can configure the SAML-based login module through the Admin Portal with the following options:

๐Ÿ”น Viewing & Managing SAML Logins #

๐Ÿ“Œ Sign In Administration โ†’ Sign In Modules โ†’ SAML Logins

  • View user login history, including timestamps, authenticated users, and active devices.
  • Revoke or manage active sessions based on policy settings.

 

๐Ÿ”น Configuring Captive Portal Text & UI for SAML Authentication #

๐Ÿ“Œ Sign In Administration โ†’ Login Portal โ†’ Portal Configurations โ†’ SAML Access Settings

  • Customize the login page text, including instructions and branding.
  • Modify redirect URLs post-authentication.

 

๐Ÿ”น Configuring Terms and Conditions & Privacy Policy Acceptance #

๐Ÿ“Œ Organization โ†’ Compliance โ†’ Terms and Conditions & Privacy Policy

  • Define and update Terms and Conditions and Privacy Policy that users must accept before authentication.
  • Ensure compliance with regulatory and corporate policies by enforcing acceptance before granting access.

 

๐Ÿ”น Setting Up SAML Integration with an Identity Provider (IdP) #

๐Ÿ“Œ Organization โ†’ Accounts โ†’ Federation Configuration

  • Connect the captive portal to an external SAML IdP (e.g., Microsoft 365, Google Workspace, Okta).
  • Configure authentication endpoints, certificates, and metadata exchange.
  • Define domain-based access policies and role-based authentication rules.

 

๐Ÿ”น Configuring Access Policies #

๐Ÿ“Œ Sign In Administration โ†’ Access Policies

  • Define session duration, device quotas, and redirect settings based on the authenticated user’s domain.
  • Example: If a user logs in with john.doe@domain.com, the system matches @domain.com against an Access Policy to determine:
    • Allowed session duration
    • Device quota limits
    • Redirect URL after authentication

 

3. Security & Compliance Considerations #
  • Centralized Authentication โ€“ All authentication requests are processed via the organizationโ€™s Identity Provider (IdP), ensuring consistency and security.
  • No Credentials Stored or Proxied โ€“ Authentication occurs directly with Microsoft, Google, Okta, or another IdP, ensuring that no usernames or passwords pass through or are stored in the captive portal solution.
  • User Consent Requirement โ€“ Users must explicitly accept the Terms and Conditions and acknowledge the Privacy Policy before authentication can proceed.
  • Reduced Attack Surface โ€“ Eliminates the need for local WiFi passwords, reducing the risk of compromised credentials.
  • Automated Session Control โ€“ If a user reaches their device quota, the system automatically disconnects the device that was last seen online and allows the new device to connect immediately.
  • Logging & Auditing โ€“ Detailed logs of logins, session durations, and device activity are available for compliance tracking.

 

Benefits of BYOD SAML Authentication #

โœ” Single Sign-On (SSO) Convenience โ€“ Users authenticate with existing credentials, reducing password fatigue.
โœ” Improved Security โ€“ Authentication is handled through a trusted Identity Provider (IdP).
โœ” Seamless User Experience โ€“ Instant access to WiFi without additional setup steps.
โœ” Scalability Across Multiple Locations โ€“ Works consistently across offices, campuses, and remote environments.
โœ” Self-Service Flexibility โ€“ Users can manage their own connected devices via the Self-Service Portal.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.